Click here to get back home

How do I block a single IP address from logging on as Administrator?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How do I block a single IP address from logging on as Administrator? Mike Thompson 10-31-2007
Posted by Mike Thompson on October 31, 2007, 9:39 am
Please log in for more thread options
 I have been running a public web server for 10 years, now running Windows
2003 Server, and I've just encountered (for the first time) an ISP who
cannot or will not stop hack attacks coming from one IP address in his
center. The hacker tries to log on as Administrator, and his activity is
logged in the Security Log. This has happened repeatedly over the last
several months, and I've talked to the ISP by phone numerous times, but no
action.

Is there a way to block a single IP address from logging on to Windows 2003
Server (SP1)? This is not an IIS issue, it's a Windows Server issue, as the
attacker is not trying to log onto the website, he is trying to log on to
the server as Administrator.

Many thanks for any ideas.



Posted by Chris M on October 31, 2007, 9:49 am
Please log in for more thread options
 Mike Thompson wrote:
> I have been running a public web server for 10 years, now running Windows
> 2003 Server, and I've just encountered (for the first time) an ISP who
> cannot or will not stop hack attacks coming from one IP address in his
> center. The hacker tries to log on as Administrator, and his activity is
> logged in the Security Log. This has happened repeatedly over the last
> several months, and I've talked to the ISP by phone numerous times, but no
> action.
>
> Is there a way to block a single IP address from logging on to Windows 2003
> Server (SP1)? This is not an IIS issue, it's a Windows Server issue, as the
> attacker is not trying to log onto the website, he is trying to log on to
> the server as Administrator.

How is the attacker actually trying to log on to the server? Not Remote
Desktop surely?

If the logon failures are not coming from IIS (via integrated
authentication) then you have a deeper problem - your server isn't
correctly firewalled. These logon attempts from an untrusted IP address
should never even reach your server in the first place.

--
Chris.

Posted by Mike Thompson on October 31, 2007, 10:59 am
Please log in for more thread options
Yes, it's not an IIS attack. Would the firewall in Windows Server 2003 SP2
be adequate?

Thanks.


> Mike Thompson wrote:
>> I have been running a public web server for 10 years, now running Windows
>> 2003 Server, and I've just encountered (for the first time) an ISP who
>> cannot or will not stop hack attacks coming from one IP address in his
>> center. The hacker tries to log on as Administrator, and his activity is
>> logged in the Security Log. This has happened repeatedly over the last
>> several months, and I've talked to the ISP by phone numerous times, but
>> no action.
>>
>> Is there a way to block a single IP address from logging on to Windows
>> 2003 Server (SP1)? This is not an IIS issue, it's a Windows Server
>> issue, as the attacker is not trying to log onto the website, he is
>> trying to log on to the server as Administrator.
>
> How is the attacker actually trying to log on to the server? Not Remote
> Desktop surely?
>
> If the logon failures are not coming from IIS (via integrated
> authentication) then you have a deeper problem - your server isn't
> correctly firewalled. These logon attempts from an untrusted IP address
> should never even reach your server in the first place.
>
> --
> Chris.



Posted by Chris M on October 31, 2007, 11:08 am
Please log in for more thread options
Mike Thompson wrote:
> Yes, it's not an IIS attack. Would the firewall in Windows Server 2003 SP2
> be adequate?

Yes, that would be enough to prevent the logon attempts from occuring -
you'd just need to open the relevant ports for IIS to remain visible to
the outside world.

Ideally you'd have the firewall at your network perimeter rather than on
the server itself, but that really depends on how your network is
configured.

--
Chris.


>> Mike Thompson wrote:
>>> I have been running a public web server for 10 years, now running Windows
>>> 2003 Server, and I've just encountered (for the first time) an ISP who
>>> cannot or will not stop hack attacks coming from one IP address in his
>>> center. The hacker tries to log on as Administrator, and his activity is
>>> logged in the Security Log. This has happened repeatedly over the last
>>> several months, and I've talked to the ISP by phone numerous times, but
>>> no action.
>>>
>>> Is there a way to block a single IP address from logging on to Windows
>>> 2003 Server (SP1)? This is not an IIS issue, it's a Windows Server
>>> issue, as the attacker is not trying to log onto the website, he is
>>> trying to log on to the server as Administrator.
>> How is the attacker actually trying to log on to the server? Not Remote
>> Desktop surely?
>>
>> If the logon failures are not coming from IIS (via integrated
>> authentication) then you have a deeper problem - your server isn't
>> correctly firewalled. These logon attempts from an untrusted IP address
>> should never even reach your server in the first place.
>>
>> --
>> Chris.
>
>

Posted by Steven L Umbach on October 31, 2007, 7:16 pm
Please log in for more thread options
First off I would consider disabling the built in administrator account
which still will be available in Safe Mode if needed. Verify that the server
is locked down properly in that only the necessary ports are available from
the internet and you can do a self scan from the internet. Run the Microsoft
Baseline Security Analyzer tool to see if your server is properly patched
and secured from basic operating system vulnerabilities. You should be able
to create a firewall rule in your perimeter firewall to block all access to
your network from a specific IP and then traffic from that IP will never get
to your server.

Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA


>I have been running a public web server for 10 years, now running Windows
>2003 Server, and I've just encountered (for the first time) an ISP who
>cannot or will not stop hack attacks coming from one IP address in his
>center. The hacker tries to log on as Administrator, and his activity is
> logged in the Security Log. This has happened repeatedly over the last
> several months, and I've talked to the ISP by phone numerous times, but no
> action.
>
> Is there a way to block a single IP address from logging on to Windows
> 2003 Server (SP1)? This is not an IIS issue, it's a Windows Server issue,
> as the attacker is not trying to log onto the website, he is trying to log
> on to the server as Administrator.
>
> Many thanks for any ideas.
>
>



Similar ThreadsPosted
Single login per account possiable? September 28, 2005, 9:07 pm
Transition from a single enterprise CA to a tiered CA May 3, 2007, 12:38 pm
Looking for Single Computer Two Factor Authentication April 20, 2008, 2:23 pm
PKI - Single Offline Root for Multiple Forest March 24, 2008, 9:02 pm
Any MS security options for single server 2008 x64 as notebook OS? January 17, 2008, 7:12 pm
Single Server access to stand alone servers within domain June 26, 2008, 6:49 pm
Windows 2003 Single Mode - Workstation Login says: DOMAIN (Win 200 January 10, 2006, 8:41 pm
Modify rights to single file in a directory with only list permiss September 21, 2006, 4:48 pm
RDP - IP Address ACL February 9, 2007, 3:18 pm
disable ip address June 14, 2005, 3:17 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap