RE: ISA intrusions?
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Tue, 29 Aug 2006 08:12:46 GMT
Hi Mbw,
Thank you for posting in SBS newsgroup.
From your problem description, I understand this issue to be: you receivesecurity event 529 on your SBS 2k3 server. If I have misunderstood your
concerns, please do not hesitate to let me know.
As I know, Logon type 10 is interpreted to RemoteInteractive. When you
access a computer through Terminal Services, Remote Desktop or Remote
Assistance windows logs the logon attempt with logon type 10 which makes it
easy to distinguish true console logons from a remote desktop session. Note
however that prior to XP, Windows 2000 doesn't use logon type 10 and
terminal services logons are reported as logon type 2.
Do you know the Source Network Address: 216.194.37.85? If you do not have
the address, the issue may be caused by dictionary attack to crack the
administrator password. So, the result could be someone was trying to logon
your SBS server through Remote Desktop via 3389 with different username and
password combinations, but failed.
Regarding this situation, I would like to give the following suggestions:
1. Please enforce the strong password policy and make sure passwords are
well managed throughout your network. Implement Strong password policies.
Open 'Server Management console', navigate to Users snap-in. In the right
panel, click 'Configure Password Policies'. Enable the password policies.
For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
2. Close the 3389 port on your hardware router or on your SBS 2k3 ISA/Basic
Firewall configuration. 3389 port is necessary for the Remote Desktop
connection. By disabling this port, bad guys could no longer initiate the
remote desktop session and try the dictionary attack. For administrating
the SBS server, I would suggest you access the server through the RWW
portal. With logging to the RWW first and then logon to the SBS server
remotely, traffics are actually going through 443 and 4125 proxy port. This
could successfully prevent Robot Dictionary Attack on 3389 port.
3. More information:
Securing Your Windows Small Business Server 2003 Network
http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b25
8de1c/SecuringSBSnetwork.doc
If you have any questions or concerns related to this issue, please let me
know.
I appreciate your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "mbw" <mbwm34@xxxxxxxxxxxxxxxxxxxx>
| Subject: ISA intrusions?
| Date: Mon, 28 Aug 2006 10:53:42 +0100
| Lines: 31
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| Message-ID: <eS#eWfoyGHA.1304@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: arabesk.plus.com 212.159.98.137
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:293446
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| On fully patched SBS2003 premium, noticed these log entries: - any cause
for
| concern?
| -----------------------------------------------------
| Logon Process: User32
| Authentication Package: Negotiate
| Workstation Name: NACES01
| Caller User Name: NACES01$
| Caller Domain: AUCWC1
| Caller Logon ID: (0x0,0x3E7)
| Caller Process ID: 1700
| Transited Services: -
| Source Network Address: 216.194.37.85
| Source Port: 49300
|
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name: Administrator
| Domain: AUCWC1
| Logon Type: 10
| Logon Process: User32
| Authentication Package: Negotiate
| Workstation Name: NACES01
| Caller User Name: NACES01$
| Caller Domain: AUCWC1
| Caller Logon ID: (0x0,0x3E7)
| Caller Process ID: 7016
| Transited Services: -
| Source Network Address: 216.194.37.85
| Source Port: 49299
|
|
|
.
- References:
- ISA intrusions?
- From: mbw
- ISA intrusions?
- Prev by Date: Re: Group policy script
- Next by Date: Re: RWW performance problem
- Previous by thread: ISA intrusions?
- Next by thread: Re: ISA intrusions?
- Index(es):
Relevant Pages
|
Loading
