Re: Stop illegal login attempts?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Yes, that is an option but this is my own personal server and cash for doing
such is not available at the moment!


"Cris Hanna" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%238CuAapEHHA.3188@xxxxxxxxxxxxxxxxxxxxxxx
upgrade to premium with ISA?

--
CRIS HANNA [SBS-MVP]
---------------------------------
Please only respond in the newsgroup. Do Not Contact Directly.
MVPs do not work for Microsoft.
---------------------------------------
Sent via Windows Mail on Vista Ultimate connected to SBS R2
"Adam Butler" <adambutler100@xxxxxxxxxxx> wrote in message
news:uS%23LcPpEHHA.1304@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

How can I stop illegal login attempts to my SBS box Exchange server?
This is on SBS 2003 SP1.
I had a guy last night try for over 3 hours to guess my username/password
which generated over 610 security errors in the security event log.
My server is behind a nat router (Zywall35) so I did capture the persons
IP from Romania.
However, is there not a way to lock out repeated attempts that occur in
rapid succesion?
I know I can do such with the router but I'd rather learn how to do such
with built in SBS or Exchange tools if possible.

I've copied and pasted a typical event log from these attempts below.
Of course the user name field was different for each attempt this person
made.
Looks like a typical dictionary attack to me but how to block this after
say 10 attempts?

Any advice is welcome!

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/26/2006
Time: 23:53:43
User: NT AUTHORITY\SYSTEM
Computer: WX98
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Beaner
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WX98
Caller User Name: WX98$
Caller Domain: KRUSEONE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 784
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.





.

Relevant Pages

  • RE: Problems with 529 Events
    ... attempting to logon on some services on the SBS server. ... and then click Account Lockout Policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)
  • RE: Logon Issue - could someone explain please
    ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ...
    (microsoft.public.windows.server.sbs)
  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
    (microsoft.public.windows.server.sbs)