Re: Protect from Login Attempts

Liam wrote:
I have recently had an intrusion and I want to beef up the security on the server.

Environment:
OWA is used extensively.
RDP to the server is used to manage it ( I am only here 1 or 2 days per week)

Problem
Over the weekend I logged about 200-300 failed logon attempts. Some obviously a week attempt at the admin password but one othe used admin_tmpl sbs_backup, kbrtgt etc that looks like a script.

Is there a hardware device that would sit between an RDP session and the windows authenticator? Or any other way besides turning off the RDP and OWA to keep these r-ff-raff away from even having a successful failed logon?


As Cliff says, using RDP over VPN will help secure what is a common attack target. I go slightly further and only allow unprivileged users to get in by VPN, at which point an admin password has to be cracked while the bad guy is already part-way in and featuring prominently in the router logs. To be accurate, I actually use RDP over SSH, but Windows doesn't have a native SSH server and I wouldn't trust a third party one.

RWW will also be suggested, but servers won't be offered for connection to anyone but admins, so the two-stage approach doesn't work there.

If it's only you needing RDP/RWW, then the router can limit connections to your IP address if fixed, or at least your ISP's DHCP pool, which is better than nothing. Most intrusions will not come from other customers of the same ISP. At a pinch, SBS itself in two-NIC mode or using VPN, can filter on client IP addresses/ranges, but it's cleaner to do it in a router.

Another option is to limit OWA and RWW access by requiring a client certificate. That's not too convenient, as the certificate has to be installed in the browsers used, and you'll probably have to trust your users to do that themselves. It's a bit wide-ranging, as it applies to the whole default website, even when accessed from the LAN. Also, check that your certificate has not expired before you enable it remotely, as certsrv is part of the default website...
.

Relevant Pages

  • RE: Windows Remote Desktop
    ... between the server and client in addition to RDP encryption. ... On the topic of securing RDP i was wondering if anyone can help.... ... connection is difficult. ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
    (Security-Basics)
  • RE: Windows Remote Desktop
    ... clients and match your server configuration to match the target server ... Https would not be subject to a MiM attack using the method I described. ... Citrix can be more secure then RDP. ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
    (Security-Basics)
  • Re: Protect from Login Attempts
    ... For OWA, ... Most of those accounts don't have associated exchange mailboxes so 'scraping' for account usernames and passwords against an HTTP server is rarely worth the time it takes. ... So *you* can still access RDP for administrative purposes, you can set up a VPN tunnel. ...
    (microsoft.public.windows.server.sbs)
  • RE: Windows Remote Desktop
    ... This step confirms that the server is ... Subject: Windows Remote Desktop ... Citrix can be more secure then RDP. ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
    (Security-Basics)
  • RE: Windows Remote Desktop
    ... On the topic of securing RDP i was wondering if anyone can help.... ... If you get a hold of the certificate the server presents to the ... SSL/HTTPS then use the Citrix ICA encryption on top of that, ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
    (Security-Basics)