Re: Watching for RWW breakins

We're using a D-link firewall router plus SBS Basic Firewall. Unfortunately,
the D-link only logs rejected attempts at access, not allowed ones.

So, once someone finds the RWW openings in our firewall, how do I spot that
they've successfully made an illegitimate logon to our server, out of the
thousands of legitimate ones?

"Leythos" wrote:

> In article <4F2F5160-EEAF-4E48-AA16-46C807625281@xxxxxxxxxxxxx>,
> jjjdavidson@xxxxxxxxxxxxxxxxxxxxxxxxx says...
> > I'm nervously configuring RWW for our SBS 2003 Standard server (2 NICs &
> > router). I'm doing everything I can find to protect it, including changing
> > the Administrator account name, setting really obnoxious passwords, setting
> > IP address filters in the router, and forwarding a nonstandard port to 443
> > for HTTPS access.
> >
> > My question is: How do I tell if I'm unsuccessful? Other discussions here
> > have emphasized monitoring the security log, but what on earth do I watch
> > for? On our little network (~10 workstations) the security log gets 25-40K
> > entries per day; I had to increase the log size to 100Mb to hold a week's
> > activity. In the last 24 hours, it shows 11,500 event 540 (successful
> > network logon) including about 100 Administrator logons, many of them in the
> > middle of the night. Is there a way to filter the security log to sort out
> > RWW logons? Is there something else I can be monitoring?
> >
> > (Put me down as one more vote for being able to block Administrator from RWW.)
>
> What firewall are you using?
>
> If you have a firewall or router doing NAT, you can have the logs
> shipped to the server and then monitor the logs for connections that
> actually make it inbound.
>
> I would never connect a server, even with ISA, to the public internet
> without a proper border firewall appliance in place.
>
> While I don't recommend a NAT Router (as they are not firewalls), even
> the simplest NAT router will protect your server from unsolicited
> intrusions. If you run Exchange and Outlook Web Access, you only need to
> allow SMTP and HTTPS inbound through the router (as you should NOT be
> running OWA in non-ssl mode). If you have users that are VPN'ing into
> the server you will also need to forward 1723 (and sometimes, depending
> on the router, 47) inbound to the server.
>
> We see several thousand attempts to connect each day, most are blocked
> by our firewall before they even get near the servers.
>
> --
> --
> spam999free@xxxxxxxxxx
> remove 999 in order to email me
>
.

Relevant Pages

  • Re: loss of SOME connectivity
    ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
    (microsoft.public.windows.server.sbs)
  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)
  • Re: Still cant connect to RWW or OWA remotely
    ... Re-running the CEICW, disabling the firewall, then re-running CEICW again, ... "Cannot find server or DNS Error". ... the DSL router 4-port switch. ... of the two NICs by clicking the Advanced tabs, ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN suggestions requested
    ... > connecting to the Internet through a cheap basic broadband router. ... necessarily mean you have to pop in a firewall, ... also mean only to secure the W2K server. ...
    (comp.security.firewalls)
  • DLink 704 hangs, so I need something better
    ... I recently purchased a DLink 704 firewall/router to hold the static IP ... It works well as a standalone firewall, ... Every consumer-level router in the world has this feature. ... Can Windows 2000 Server perform the same type ...
    (comp.security.firewalls)