Re: Watching for RWW breakins
- From: Susan Bradley <sbradcpa@xxxxxxxxxxx>
- Date: Thu, 19 May 2005 12:05:31 -0700
It's a certain login code ...and once they've connected you get an "successful" ...but if your password is a good as you say it is ....it would take a huge amount of brute force
jjjdavidson wrote:
We're using a D-link firewall router plus SBS Basic Firewall. Unfortunately, the D-link only logs rejected attempts at access, not allowed ones.
So, once someone finds the RWW openings in our firewall, how do I spot that they've successfully made an illegitimate logon to our server, out of the thousands of legitimate ones?
"Leythos" wrote:
In article <4F2F5160-EEAF-4E48-AA16-46C807625281@xxxxxxxxxxxxx>, jjjdavidson@xxxxxxxxxxxxxxxxxxxxxxxxx says...
I'm nervously configuring RWW for our SBS 2003 Standard server (2 NICs & router). I'm doing everything I can find to protect it, including changing the Administrator account name, setting really obnoxious passwords, setting IP address filters in the router, and forwarding a nonstandard port to 443 for HTTPS access.
My question is: How do I tell if I'm unsuccessful? Other discussions here have emphasized monitoring the security log, but what on earth do I watch for? On our little network (~10 workstations) the security log gets 25-40K entries per day; I had to increase the log size to 100Mb to hold a week's activity. In the last 24 hours, it shows 11,500 event 540 (successful network logon) including about 100 Administrator logons, many of them in the middle of the night. Is there a way to filter the security log to sort out RWW logons? Is there something else I can be monitoring?
(Put me down as one more vote for being able to block Administrator from RWW.)
What firewall are you using?
If you have a firewall or router doing NAT, you can have the logs shipped to the server and then monitor the logs for connections that actually make it inbound.
I would never connect a server, even with ISA, to the public internet without a proper border firewall appliance in place.
While I don't recommend a NAT Router (as they are not firewalls), even the simplest NAT router will protect your server from unsolicited intrusions. If you run Exchange and Outlook Web Access, you only need to allow SMTP and HTTPS inbound through the router (as you should NOT be running OWA in non-ssl mode). If you have users that are VPN'ing into the server you will also need to forward 1723 (and sometimes, depending on the router, 47) inbound to the server.
We see several thousand attempts to connect each day, most are blocked by our firewall before they even get near the servers.
-- -- spam999free@xxxxxxxxxx remove 999 in order to email me
.
- References:
- Watching for RWW breakins
- From: jjjdavidson
- Re: Watching for RWW breakins
- From: jjjdavidson
- Watching for RWW breakins
- Prev by Date: Re: SBS2003 & Server 2K
- Next by Date: Re: Delivery Status Notification (Failed)
- Previous by thread: Re: Watching for RWW breakins
- Next by thread: PRIV1.EDB corrupt!!
- Index(es):
Relevant Pages
|
