Re: Remote Access Security



TRI-C wrote:
Would like to know how to prevent someone from accessing the server remotely.

Disconnect it from the Internet...

Periodically, I see a high number of LOGON FAILURES where someone in the world is trying to gain access to our server (SBS 2003) remotely and entering a myriad of different user names. Is there a way to set a policy to allow a maximum number of attempts from an IP address?

Not as far as I know. You can take steps to minimise risks, only permitting VPN and RWW access to those who need them, but whatever services you open will be at risk from poor passwords of those who are allowed to use them. If you receive mail by SMTP, there will be frequent probes for port 25 followed by attempts at authenticated relaying, which all users are permitted to try. If you don't allow authenticated relaying, it doesn't matter who hammers on the door.

If you are allowing remote connections, there are ways of improving security of both RWW and VPN that do not involve passwords, but there's no way of telling how useful or cost-effective that would be. Virtually no network compromises result from outside attacks these days, pretty much all the trouble comes from unwary users executing some kind of malware, whether by web browsing or email. There are various ways of minimising these risks, but they don't involve defending the network from direct outside assault.

There's not really much point in IP address lockouts, as most attackers will not stick to a single address for any length of time, and lockouts must expire eventually. Having said that, I keep an eye on the firewall logs of one site, purely out of curiosity to see what's fashionable, and there's a Chinese IP address which tries to find a web proxy about once an hour, for the last couple of years. He didn't find it the first day, and he's never going to find it, as it doesn't exist, and there's no point in getting irritated by his persistence. On the other hand, my mail server logs show failed NDR spam attempts, and there's rarely more than about four attempts from one address, then the same crop of names appears from a different continent half an hour later. Anyone playing this game normally has a fairly large pool of stolen IP addresses to work with.

You can impose lockouts on users after a number of failed logon attempts, but if the attack is automated, as almost all are, the user names will not be known anyway. Running a dictionary attack without knowledge of user account names, and at typical DSL speeds, is not a practical proposition. The automated attackers are hoping to get lucky, finding a JSmith who is using the password 'secret', or maybe even an Administrator/'password'. The server Administrator account cannot be locked out. Rename it if you like, but more importantly, give it a huge and totally uncrackable password and never use it.

There really is no substitute for good passwords. You need to impress on the remote users that their passwords are all that stands between the network and the bad guys. I'm sure you know you can impose password policies, but they are never popular and often result in outbreaks of inappropriate Post-Its. It's better to convince them that they'll be extremely ashamed if someone breaks into the network because of their laziness. And you *will* know it was them...

--
Joe
.