Re: Logon failures filling the event log

- Small Business Server default web site (Remote Web Workplace?),
Exchange web interface and CompanyWeb all require SSL and 128 bits.
- We also have MS CRM web interface running. No SSL but it only uses
Windows Integrated.

That's ok. It's probably a brute-force attack. Given enought time these
usually succeed, but most bounce off after a while as there are simply
easier targets.

I would really appreciate any advice you might have or any comments.
It is gratifying that this person/bot/virus doesn't seem to be getting
access but still makes me quite nervous.

And it should :), it means you're thinking about security and that's a
good thing.

Also, does it mean anything that the source address/port aren't
getting caught? Usually when my users get their password wrong, it
traps the source IP address. Could this indicate the attack is from
within the server (like a worm or virus?) or is this information
easily hidden?

The authentication as seen from the authentication service comes from
IIS that tries to authenticate a remote client. Therefore it's local.
Unfortunately I know very little about IIS. There might be something in
IIS's logs tho'. What is mainly interesting is if the attacks come from
one or a coupe IP(s), that usually means someone is eager to get in. If
it are tons of different IPs it usually just means there's some
virus/worm going wild.

My experience of IIS 6 is that it is very secure - we also run a
server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM
Sharepoint portals and never see this kind of thing going on.

Common usernames, easy passwords etc. will always be prone to brute
forcing. You can however usually enforce rate limits and such (as in IP
x can only try to authenticate 5 times in a minute, if it fails 5 times
in a minute ignore it for 5 hours, or something similar). But again,
very little knowledge of IIS :)

If I have nothing to worry about that's fine, but I don't really see
what I can do to stop this. I don't want to disregard the security
warnings. As I said, any comment or advice is very much appreciated.

If you open ports to the internet, especially common services like
HTTP(S) you always see attacks coming by. Usually it's nothing (if you
are properly patched and such) but it's good to stay weary.
.

Relevant Pages

  • Re: SSL & Certificates or Windows Auth
    ... Are you talking about client and server certificates? ... Is using Integrated Windows Authentication with SSL as ... secure as SSL with certificates? ... :>Is you are using something like "Basic Authentication" to ...
    (microsoft.public.inetserver.iis.security)
  • Re: Logon failures filling the event log
    ... Exchange web interface and CompanyWeb all require SSL and 128 bits. ... It's probably a brute-force attack. ... The authentication as seen from the authentication service comes from ... server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM ...
    (microsoft.public.windows.server.sbs)
  • Re: SSL & Certificates or Windows Auth
    ... Is you are using something like "Basic Authentication" to authenticated ... against the Windows User database, then it is strongly recommended that you ... as the username/password are essentially passed as clear-text. ... So SSL doesn't help you as much here. ...
    (microsoft.public.inetserver.iis.security)
  • Singe forms-based login for website and OWA
    ... I've got a Windows 2003 web server that is also running Exchange 2003. ... are directed to a page that allows anonymous access without SSL. ... I've got no problem using forms-based authentication with OWA, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)