RE: Tracing source of remote logons

Hi Tom,

Thank you for posting in SBS newsgroup.

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

Based on your description, I understand this issue to be: you receive
security event 529 on your SBS 2k3 server and logon type is 10. If I have
misunderstood your concerns, please do not hesitate to let me know.

As I know, Logon type 10 is interpreted to RemoteInteractive. When you
access a computer through Terminal Services, Remote Desktop or Remote
Assistance windows logs the logon attempt with logon type 10 which makes it
easy to distinguish true console logons from a remote desktop session. Note
however that prior to XP, Windows 2000 doesn't use logon type 10 and
terminal services logons are reported as logon type 2.

Do you mean the Source Network Address of the event is internal IP of SBS?

As I know, the Failure event may be caused by dictionary attack to crack
the administrator password. So, the result could be someone was trying to
logon your SBS server through Remote Desktop via 3389 with different
username and password combinations, but failed.

Regarding this situation, I would like to give the following suggestions:

1. Please enforce the strong password policy and make sure passwords are
well managed throughout your network. Implement Strong password policies.
Open 'Server Management console', navigate to Users snap-in. In the right
panel, click 'Configure Password Policies'. Enable the password policies.

For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

2. Close the 3389 port on your hardware router or on your SBS 2k3 ISA/Basic
Firewall configuration. 3389 port is necessary for the Remote Desktop
connection. By disabling this port, bad guys could no longer initiate the
remote desktop session and try the dictionary attack. For administrating
the SBS server, I would suggest you access the server through the RWW
portal. With logging to the RWW first and then logon to the SBS server
remotely, traffics are actually going through 443 and 4125 proxy port. This
could successfully prevent Robot Dictionary Attack on 3389 port.

3. More information:

Securing Your Windows Small Business Server 2003 Network
http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b25
8de1c/SecuringSBSnetwork.doc

Also if you would like to check the real-time TS sessions, we can user
Terminal Server Manager. To do that:

1. Click Start | Programs | Administrative Tools | Terminal Service Manager.
2. Click <Server Name> in the left pane, and then you can see detailed
information in the right pane.

If you want the real time logging for the Terminal service, I suggest that
you use WinStation Monitor to get the real-time status of the user name,
domain, IP address, session ID, and connection status of currently
logged-on users. For more detailed information, please refer to the KB
article:

320190 HOW TO: Use WinStation Monitor to Monitor Terminal Services Client
http://support.microsoft.com/?id=320190

If you want to check who and when log on the TS server, you can use the
"Audit logon events" to audit the "logon locally" events since users should
have the "logon locally" permission to log on the TS server. If the TS
server is a member server, you can configure the local security policy. You
can refer to the following KB article:

174073 Auditing User Authentication
http://support.microsoft.com/?id=174073

If you have any questions or concerns related to this issue, please let me
know.

I appreciate your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Tom Del Rosso" <td_01@xxxxxxxxxxxxxxx>
| Subject: Tracing source of remote logons
| Date: Sun, 17 Sep 2006 10:27:15 -0400
| Lines: 10
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1807
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
| Message-ID: <#FjjqXm2GHA.4924@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: ool-457be43a.dyn.optonline.net 69.123.228.58
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:298151
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Logon type 10 is remote desktop, AFAIK, but the event log records the
source
| IP as the local IP of the server. How can you identify the source?
|
|
| --
|
| Reply in group, but if emailing add another
| zero, and remove the last word.
|
|
|

.

Relevant Pages

  • Re: Bad login alerts
    ... Logon Failure: ... One of the most active is the Microsoft ... Please run the command on the server named DOC-MAIL ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: The local policy of this system does not allow you to log on inter
    ... If the server is a 2003 Member Server, then the only things required for RDP ... Member of the local Remote Desktop User's Group, or a group with User & ... Users do NOT require the logon locally right for 2003 TS, ... Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • RE: Remote Desktop Does not work
    ... Microsoft Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Remote Desktop Does not work ... | I really do not want to restart the server when some issue, ...
    (microsoft.public.windows.server.sbs)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... you need not collect the netlogon log on the server box. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... System Attendant service' logon on account is "Local System Account", ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS Logon screen
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... <Thread-Topic: SBS Logon screen ... I mapped a drive on a client PC to the C$ & D$ of the server and copied ...
    (microsoft.public.windows.server.sbs)