Re: Stop illegal login attempts?

---

• From: "Cris Hanna" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 27 Nov 2006 20:40:00 -0600

---

upgrade to premium with ISA?

--
CRIS HANNA [SBS-MVP]
---------------------------------
Please only respond in the newsgroup. Do Not Contact Directly.
MVPs do not work for Microsoft.
---------------------------------------
Sent via Windows Mail on Vista Ultimate connected to SBS R2
"Adam Butler" <adambutler100@xxxxxxxxxxx> wrote in message news:uS%23LcPpEHHA.1304@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

How can I stop illegal login attempts to my SBS box Exchange server?
This is on SBS 2003 SP1.
I had a guy last night try for over 3 hours to guess my username/password which generated over 610 security errors in the security event log.
My server is behind a nat router (Zywall35) so I did capture the persons IP from Romania.
However, is there not a way to lock out repeated attempts that occur in rapid succesion?
I know I can do such with the router but I'd rather learn how to do such with built in SBS or Exchange tools if possible.

I've copied and pasted a typical event log from these attempts below.
Of course the user name field was different for each attempt this person made.
Looks like a typical dictionary attack to me but how to block this after say 10 attempts?

Any advice is welcome!

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/26/2006
Time: 23:53:43
User: NT AUTHORITY\SYSTEM
Computer: WX98
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Beaner
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WX98
Caller User Name: WX98$
Caller Domain: KRUSEONE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 784
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

.

---

• Follow-Ups:
  • Re: Stop illegal login attempts?
    • From: Adam Butler

• References:
  • Stop illegal login attempts?
    • From: Adam Butler

• Prev by Date: Re: Intermittent DNS - timeouts
• Next by Date: Re: Intermittent DNS - timeouts
• Previous by thread: Stop illegal login attempts?
• Next by thread: Re: Stop illegal login attempts?
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Logon Issue - could someone explain please ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ... (microsoft.public.windows.server.sbs) RE: Event ID 529 ... ISA is part of the Premium install. ... is that you already have a good security solution in place. ... Logon Failure: ... Caller User Name: MYSVRNAME$ ... (microsoft.public.windows.server.sbs) Re: Wrong domain in event log? ... The failed login was from the workstation called BCCIJHINSLEY at IP address ... Les Connor [SBS Community Member - SBS MVP] ... Logon Failure: ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Update Post Regarding Logon events after Trend 3.5 Upgrade ... Trend Response: ... Security Server on my server but the file TMVS.exe was available so I was ... After doing an upgrade from CSM 3.0 to CSM 3.5 I've been seeing Logon ... Caller User Name: SBS$ ... (microsoft.public.windows.server.sbs) Re: Login Errors Seem to indicate we are being hacked? ... I've got ISA configured so it only allows SMTP and RWW, and I use RWWGuard for RWW security, so I'm confident that in my case it can't be anything but SMTP. ... Logon Failure: ... Caller User Name: SERVER01$ ... Ie what is a logon type 3 and what do the caller Login ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-11