Re: Logon failure on disabled Administrator account

A workaround is to remote into your "home" system (that has the allowed IP
address), and then connect from there to the customer.

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius


"Bruce Wilkinson" <BruceWilkinson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:DFB0E77F-2823-4EF9-AD85-36BBF44B5B21@xxxxxxxxxxxxxxxx
Steve:

That works if I only remote in from known locations. But if f I'm out at
another client's and this one calls in, I'm stuck. I may start adding
select
clients IPs though. That would allow finer grain control and only force me
to
reconfigure the firewall if I'm somewhere else.

Thanks.

"Steve" wrote:

If you have ISA 2004 installed you can use that to allow in only the
specific remote IPs you need to connect to 3389 for administration.

"Bruce Wilkinson" <BruceWilkinson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:D50A7A50-14F1-4776-AF72-ECB8AC50C075@xxxxxxxxxxxxxxxx
The attempts to connect are coming in over port 3389, the terminal
services
port. I use it for remote administration.

Isn't it considered good security practice to disable Administrator and
use
another account for administrator tasks. Doesn't Microsoft recommend
it? I
know many others do.

Bruce

"Lanwench [MVP - Exchange]" wrote:

In news:55B9E1A8-90AF-4CD7-A3D2-595E6E6F894D@xxxxxxxxxxxxx,
Bruce Wilkinson <BruceWilkinson@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
I disabled the administrator account for security purposes,
primarily
because someone periodically tries to brute force the account. Since
then I get Security event 531 about 15 times each night on account
DC1$. The computer name is dc1. Is event monitoring or some other
scheduled task triggering this event error? All scheduled events
that
I control are using the new admin user account.

Bruce

Don't disable the administrator account. Frankly, in SBS, I've had
problems
even *renaming* it.; there are plenty of services and inner workings
that
expect it to be there & expect it to be called administrator
(particularly
your monitoring stuff). Just set an impossible-to-guess password on
it.

Where are the brute force attacks coming from, and if this is outside
your
network, over what ports are they coming in - and what kind of
firewall
protection do you have?








.

Relevant Pages

  • Re: Administrator account hijacked?
    ... Sean :-) Good advice on the filtering. ... Torrey, if you haven't yet installed the SBS BPA, the link is in my signature. ... We have thousands of e-mails sending out from Administrator as postmaster at ... >> see mail messages that are being received and sent through this>> account. ...
    (microsoft.public.windows.server.sbs)
  • Re: connect computer setup fails
    ... The administrator account you use to login - this is an account with ... Les Connor [SBS MVP] ... > willswing01 is the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login to SBS Server
    ... Error 0x534 occurs when a user account in one or more Group Policy objects ... administrator in the domain to perform the following actions: ... Remove unresolved accounts from Group Policy ... Les Connor [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login to SBS Server
    ... Error 0x534 occurs when a user account in one or more Group Policy ... contact an administrator in the domain to perform ... Les Connor [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • RE: 7019 messages of external mail sent by "administrator" in last 2 w
    ... Welcome to SBS newsgroup. ... I understand that you want to disable the administrator user to send some ... we will use administrator account to send system ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Loading