|
Posted by Paul Proefrock on May 26, 2006, 5:06 pm
Please log in for more thread options
: quoted-printable
We had a recent entry in our Security Log, showing someone had tried to =
log on remotely with a user name not in our system. The log said they =
tried repeated passwords. The user name they attempted was "webmaster". =
It looks as if they tried entry about 15 times in a 3 minute span, then =
again about 8 times, two hours later. I don't see any further attempts =
or signs of entry.
This smells fishy to me and I am curious if I should take any additional =
steps to maintain our security. We do not use a domain name but a IP =
address for our box so someone would have to know the address to hit it. =
We have locked down all ports except those necessary for our VPN and =
RWW/Remote Access. Our passwords are the secure type but we don't change =
them regularly. There are five users on the system and no one has left =
the company that would point at a disgruntled ex-employee.
Should I be doing anything else? Our SBS2003 SP1 box sits behind a =
Linksys router with 2 NIC cards. Typical 192.168.1.1 outside addresses, =
192.168.16.xxx inside addresses. The passwords into the router and =
server are 9 character alpha/numeric/symbol so are relatively secure.
This is the info from the Event ID (529) Info:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:=20
Logon Type: 3
Logon Process: Advapi=20
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: OUTER
Caller User Name: OUTER$
Caller Domain: HRTLND
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 816
Transited Services: -
Source Network Address: -
Source Port: -
Suggestions or should I be concerned?
Thanks
Paul P
------=_NextPart_000_0073_01C680DE.49181D50
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2873" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>We had a recent entry in our Security =
Log, showing=20
someone had tried to log on remotely with a user name not in our system. =
The log=20
said they tried repeated passwords. The user name they attempted was=20
"webmaster". It looks as if they tried entry about 15 times in a 3 =
minute span,=20
then again about 8 times, two hours later. I don't see any further =
attempts or=20
signs of entry.<BR><BR>This smells fishy to me and I am curious if I =
should take=20
any additional steps to maintain our security. We do not use a =
domain name=20
but a IP address for our box so someone would have to know the address =
to hit=20
it. We have locked down all ports except those necessary for our VPN and =
RWW/Remote Access. Our passwords are the secure type but we don't change =
them=20
regularly. There are five users on the system and no one has left the =
company=20
that would point at a disgruntled ex-employee.<BR><BR>Should I be doing =
anything=20
else? Our SBS2003 SP1 box sits behind a Linksys router with 2 NIC cards. =
Typical=20
192.168.1.1 outside addresses, 192.168.16.xxx inside addresses. The =
passwords=20
into the router and server are 9 character alpha/numeric/symbol so are=20
relatively secure.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This is the info from the Event ID =
(529)=20
Info:</FONT></DIV>
<DL dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DL>
<DD><FONT face=3DArial size=3D2>Logon Failure:</FONT></DD>
<DD><FONT face=3DArial><FONT size=3D2><FONT>R</FONT>eason: Unknown =
user name or=20
bad password</FONT></FONT></DD>
<DD><FONT face=3DArial size=3D2>User Name: webmaster</FONT></DD>
<DD><FONT face=3DArial size=3D1><FONT size=3D2>Domain:</FONT> =
</FONT></DD>
<DD><FONT face=3DArial size=3D2>Logon Type: 3</FONT></DD>
<DD><FONT face=3DArial size=3D1><FONT size=3D2>Logon Process: =
Advapi</FONT>=20
</FONT></DD>
<DD><FONT face=3DArial size=3D2>Authentication Package:=20
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</FONT></DD>
<DD><FONT face=3DArial size=3D2>Workstation Name: OUTER</FONT></DD>
<DD><FONT face=3DArial size=3D2>Caller User Name: OUTER$</FONT></DD>
<DD><FONT face=3DArial size=3D2>Caller Domain: HRTLND</FONT></DD>
<DD><FONT face=3DArial size=3D2>Caller Logon ID: =
(0x0,0x3E7)</FONT></DD>
<DD><FONT face=3DArial size=3D2>Caller Process ID: 816</FONT></DD>
<DD><FONT face=3DArial size=3D2>Transited Services: -</FONT></DD>
<DD><FONT face=3DArial size=3D2>Source Network Address: =
-</FONT></DD>
<DD><FONT face=3DArial size=3D2>Source Port: -</FONT></DD></DL></DL>
<DIV><BR><BR><FONT face=3DArial size=3D2>Suggestions or should I be=20
concerned?<BR><BR>Thanks<BR><BR>Paul P</FONT></DIV></BODY></HTML>
------=
|
|
Posted by S. Pidgorny on May 27, 2006, 7:48 pm
Please log in for more thread options
This is normal. As long as you are exposing any service that is using domain
authentication to the Internet (and in your case they are both VPN and RWW)
there will be attempts to brute force passwords.
If you're using complex pass phrases, or smart cards, you're not much in
risk. Note that if you have account lock-out policy then you can be target
of an easy-to-do denial of service atack, provided the intruder has list of
your domain accounts (often same as e-mail addresses). In case you use
complex pass phrases or smart card, you don't need to have account lock out.
It is a good idea to implement a kind of alerting on persistent logon
failures, as they mean intrusion attempt in progress, or an element of
infrastructure having issues.However, occurences of few failed attempts are
safe to ignore. In the end, a successfull logon is something that you need
to worry about.
Switching to different authentication mechanism, or introducing additional
complexities is counterproductive and usually doesn't avoid the problem
you're observing.
My recommendation is to consider PKI-based logon for VPN and RWW.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
We had a recent entry in our Security Log, showing someone had tried to log
on remotely with a user name not in our system. The log said they tried
repeated passwords. The user name they attempted was "webmaster". It looks
as if they tried entry about 15 times in a 3 minute span, then again about 8
times, two hours later. I don't see any further attempts or signs of entry.
This smells fishy to me and I am curious if I should take any additional
steps to maintain our security. We do not use a domain name but a IP
address for our box so someone would have to know the address to hit it. We
have locked down all ports except those necessary for our VPN and RWW/Remote
Access. Our passwords are the secure type but we don't change them
regularly. There are five users on the system and no one has left the
company that would point at a disgruntled ex-employee.
Should I be doing anything else? Our SBS2003 SP1 box sits behind a Linksys
router with 2 NIC cards. Typical 192.168.1.1 outside addresses,
192.168.16.xxx inside addresses. The passwords into the router and server
are 9 character alpha/numeric/symbol so are relatively secure.
This is the info from the Event ID (529) Info:
Logon Failure:
Reason: Unknown user name or bad password
User Name: webmaster
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: OUTER
Caller User Name: OUTER$
Caller Domain: HRTLND
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 816
Transited Services: -
Source Network Address: -
Source Port: -
Suggestions or should I be concerned?
Thanks
Paul P
|
| Similar Threads | Posted | | Re: Remote Access Connection Manager auto-starts (and can't be stopped) | July 6, 2006, 4:17 pm |
| After SP2 install on Win 2004 x64, the outbound http from any browser stopped working | October 18, 2007, 10:05 am |
| An attempt was made to access a socket in a way forbidden by its access permissions | March 13, 2008, 1:44 pm |
| There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away. | April 12, 2007, 6:03 pm |
| Workstations showing logon failures by users can still logon? | November 27, 2007, 6:56 pm |
| Just one logon | January 5, 2006, 11:56 am |
| Cannot Logon using Smartcard | October 28, 2005, 11:55 pm |
| Anyone use usb logon keys? | December 14, 2005, 2:09 pm |
| Caller Logon ID | April 3, 2006, 2:39 pm |
| Logon as a Batch Job | July 25, 2006, 3:00 am |
|
XML Sitemap