Guest Tom Del Rosso Posted August 25, 2007 Posted August 25, 2007 On a SBS (2003 R1 standard) somebody has been trying to log in to the RWW as webmaster during the past few days. It produces event ID 529 with logon type 3, but the source IP doesn't seem to be recorded. The server has 2 NIC's, but not ISA. -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Lanwench [MVP - Exchange] Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt Tom Del Rosso <td_01@att.net.invalid> wrote: > On a SBS (2003 R1 standard) somebody has been trying to log in to the > RWW as webmaster during the past few days. It produces event ID 529 > with logon type 3, but the source IP doesn't seem to be recorded. > The server has 2 NIC's, but not ISA. I'm presuming you have a good hardware firewall appliance between your network & the internet - if so, you might check its logs. If you don't have a firewall such as this - get one.
Guest Anthony Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt To add to what Lanwench says, people will always try to break in to an exposed interface. So you need: - good password policy - ideally lockout on failed attempts - two factor authentication if it is really important Anthony, http://www.airdesk.co.uk "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl... > Tom Del Rosso <td_01@att.net.invalid> wrote: >> On a SBS (2003 R1 standard) somebody has been trying to log in to the >> RWW as webmaster during the past few days. It produces event ID 529 >> with logon type 3, but the source IP doesn't seem to be recorded. >> The server has 2 NIC's, but not ISA. > > I'm presuming you have a good hardware firewall appliance between your > network & the internet - if so, you might check its logs. If you don't > have a firewall such as this - get one. >
Guest Tom Del Rosso Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl > Tom Del Rosso <td_01@att.net.invalid> wrote: >> On a SBS (2003 R1 standard) somebody has been trying to log in to the >> RWW as webmaster during the past few days. It produces event ID 529 >> with logon type 3, but the source IP doesn't seem to be recorded. >> The server has 2 NIC's, but not ISA. > > I'm presuming you have a good hardware firewall appliance between your > network & the internet - if so, you might check its logs. If you > don't have a firewall such as this - get one. Just a router there. SBS has a software firewall, and port 443 would have to be open even with a firewall appliance. Yeah it would be nice to have that logging, but it would also be nice if SBS logged the IP when it logs the event. Evidently it doesn't. -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Mathieu CHATEAU Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt And change password often :) -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Anthony" <anthony.spam@spammedout.com> wrote in message news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl... > To add to what Lanwench says, people will always try to break in to an > exposed interface. So you need: > - good password policy > - ideally lockout on failed attempts > - two factor authentication if it is really important > Anthony, > http://www.airdesk.co.uk > > > > > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl... >> Tom Del Rosso <td_01@att.net.invalid> wrote: >>> On a SBS (2003 R1 standard) somebody has been trying to log in to the >>> RWW as webmaster during the past few days. It produces event ID 529 >>> with logon type 3, but the source IP doesn't seem to be recorded. >>> The server has 2 NIC's, but not ISA. >> >> I'm presuming you have a good hardware firewall appliance between your >> network & the internet - if so, you might check its logs. If you don't >> have a firewall such as this - get one. >> > >
Guest Tom Del Rosso Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt "Anthony" <anthony.spam@spammedout.com> wrote in message news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl > To add to what Lanwench says, people will always try to break in to an > exposed interface. So you need: > - good password policy > - ideally lockout on failed attempts > - two factor authentication if it is really important Besides lockout from windows logons, it would be nice to lockout from failed RWW logons, but that's not an option, is it? -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Mathieu CHATEAU Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt maybe IIS logged would be helpful (not sure RWW is iis based) -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Tom Del Rosso" <td_01@att.net.invalid> wrote in message news:eKTdOj05HHA.600@TK2MSFTNGP05.phx.gbl... > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl >> Tom Del Rosso <td_01@att.net.invalid> wrote: >>> On a SBS (2003 R1 standard) somebody has been trying to log in to the >>> RWW as webmaster during the past few days. It produces event ID 529 >>> with logon type 3, but the source IP doesn't seem to be recorded. >>> The server has 2 NIC's, but not ISA. >> >> I'm presuming you have a good hardware firewall appliance between your >> network & the internet - if so, you might check its logs. If you >> don't have a firewall such as this - get one. > > Just a router there. SBS has a software firewall, and port 443 would have > to be open even with a firewall appliance. > > Yeah it would be nice to have that logging, but it would also be nice if > SBS > logged the IP when it logs the event. Evidently it doesn't. > > > -- > > Reply in group, but if emailing add another > zero, and remove the last word. > >
Guest Anthony Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt I don't know RWW, but if it is using Windows authentication I don't see why not, Anthony, http://www.airdesk.co.uk "Tom Del Rosso" <td_01@att.net.invalid> wrote in message news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl... > "Anthony" <anthony.spam@spammedout.com> wrote in message > news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl >> To add to what Lanwench says, people will always try to break in to an >> exposed interface. So you need: >> - good password policy >> - ideally lockout on failed attempts >> - two factor authentication if it is really important > > Besides lockout from windows logons, it would be nice to lockout from > failed > RWW logons, but that's not an option, is it? > > > -- > > Reply in group, but if emailing add another > zero, and remove the last word. > >
Guest Tom Del Rosso Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt "Anthony" <anthony.spam@spammedout.com> wrote in message news:OItfPb15HHA.3900@TK2MSFTNGP02.phx.gbl > I don't know RWW, but if it is using Windows authentication I don't > see why not, I never came across an option to enable that, and it doesn't happen when somebody fails to login. I assume it would have to block logins based on the IP. -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Posted August 25, 2007 Posted August 25, 2007 Re: Tracing a break-in attempt Technically speaking this isn't a targeted attack against you but someone running a scan attack. They are running up and down the IP range seeing if they can hit something. Tom Del Rosso wrote: > On a SBS (2003 R1 standard) somebody has been trying to log in to the RWW as > webmaster during the past few days. It produces event ID 529 with logon > type 3, but the source IP doesn't seem to be recorded. The server has 2 > NIC's, but not ISA. > >
Guest tatat Posted August 26, 2007 Posted August 26, 2007 Re: Tracing a break-in attempt If account lockout is configured it works for RWW as well. "Tom Del Rosso" <td_01@att.net.invalid> wrote in message news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl... > "Anthony" <anthony.spam@spammedout.com> wrote in message > news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl >> To add to what Lanwench says, people will always try to break in to an >> exposed interface. So you need: >> - good password policy >> - ideally lockout on failed attempts >> - two factor authentication if it is really important > > Besides lockout from windows logons, it would be nice to lockout from > failed > RWW logons, but that's not an option, is it? > > > -- > > Reply in group, but if emailing add another > zero, and remove the last word. > >
Guest Anthony Posted August 26, 2007 Posted August 26, 2007 Re: Tracing a break-in attempt Thanks Tatat, Tom, it it will only lock out if they try a valid name and fail on the password. You are probably just seeing a random sweep. Obviously they will try common names like Administrator and Test, and you can't lockout Administrator which is why you must have a long and complex password for it. Blocking IP's won't get you anywhere, but you can specify IP blocks on a firewall or router, Anthony, http://www.airdesk.co.uk "tatat" <default@nospam.com> wrote in message news:tN5Ai.125$ZA5.91@nlpi068.nbdc.sbc.com... > If account lockout is configured it works for RWW as well. > "Tom Del Rosso" <td_01@att.net.invalid> wrote in message > news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl... >> "Anthony" <anthony.spam@spammedout.com> wrote in message >> news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl >>> To add to what Lanwench says, people will always try to break in to an >>> exposed interface. So you need: >>> - good password policy >>> - ideally lockout on failed attempts >>> - two factor authentication if it is really important >> >> Besides lockout from windows logons, it would be nice to lockout from >> failed >> RWW logons, but that's not an option, is it? >> >> >> -- >> >> Reply in group, but if emailing add another >> zero, and remove the last word. >> >> > >
Guest Mathieu CHATEAU Posted August 26, 2007 Posted August 26, 2007 Re: Tracing a break-in attempt Hello, as best security, the administrator password would be renamed and disabled. Each administrator would have two account: -a standard user one for daily tasks (mail/web...) -an administrator account (a different of each admins) -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Anthony" <anthony.spam@spammedout.com> wrote in message news:el3FUk75HHA.5164@TK2MSFTNGP05.phx.gbl... > Thanks Tatat, > Tom, it it will only lock out if they try a valid name and fail on the > password. You are probably just seeing a random sweep. Obviously they will > try common names like Administrator and Test, and you can't lockout > Administrator which is why you must have a long and complex password for > it. > Blocking IP's won't get you anywhere, but you can specify IP blocks on a > firewall or router, > Anthony, > http://www.airdesk.co.uk > > > > > > "tatat" <default@nospam.com> wrote in message > news:tN5Ai.125$ZA5.91@nlpi068.nbdc.sbc.com... >> If account lockout is configured it works for RWW as well. >> "Tom Del Rosso" <td_01@att.net.invalid> wrote in message >> news:uvFdHm05HHA.2380@TK2MSFTNGP02.phx.gbl... >>> "Anthony" <anthony.spam@spammedout.com> wrote in message >>> news:OpovBc05HHA.5796@TK2MSFTNGP05.phx.gbl >>>> To add to what Lanwench says, people will always try to break in to an >>>> exposed interface. So you need: >>>> - good password policy >>>> - ideally lockout on failed attempts >>>> - two factor authentication if it is really important >>> >>> Besides lockout from windows logons, it would be nice to lockout from >>> failed >>> RWW logons, but that's not an option, is it? >>> >>> >>> -- >>> >>> Reply in group, but if emailing add another >>> zero, and remove the last word. >>> >>> >> >> > >
Guest emcc Posted August 27, 2007 Posted August 27, 2007 RE: Tracing a break-in attempt So how do you trace it further? I had had similar login failures (see an earlier post) reported in the security event log, but I can't find further information in other logfiles, eg IIS logs. So how can I tell where the login is being atempted? How did you know it was RWW in your case? "Tom Del Rosso" wrote: > On a SBS (2003 R1 standard) somebody has been trying to log in to the RWW as > webmaster during the past few days. It produces event ID 529 with logon > type 3, but the source IP doesn't seem to be recorded. The server has 2 > NIC's, but not ISA. > > > -- > > Reply in group, but if emailing add another > zero, and remove the last word. > > >
Guest Tom Del Rosso Posted August 27, 2007 Posted August 27, 2007 Re: Tracing a break-in attempt "emcc" <emcc@nospam.com> wrote in message news:DB1A6C8D-CE87-4C82-853B-255894DB7316@microsoft.com > So how do you trace it further? I had had similar login failures (see > an earlier post) reported in the security event log, but I can't find > further information in other logfiles, eg IIS logs. So how can I tell > where the login is being atempted? How did you know it was RWW in > your case? RWW is the only thing opened that needs authentication. I mean SMTP doesn't need it. There is no other site available for a login that I know of. -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Matthew X. Economou Posted August 27, 2007 Posted August 27, 2007 Re: Tracing a break-in attempt >>>>> "emcc" == emcc <emcc@nospam.com> writes: emcc> So how do you trace it further? I had had similar login emcc> failures (see an earlier post) reported in the security emcc> event log, but I can't find further information in other emcc> logfiles, eg IIS logs. So how can I tell where the login is emcc> being atempted? How did you know it was RWW in your case? How did you find this - by reviewing errors in the Event Log? If so, you should also check the IIS logs. It should log the source IP address and the error results (e.g., 401 for "access denied" errors, and I think this includes logon failures). Unfortunately, there's not much you can do beyond temporarily blocking the source address (or addresses) at your firewall or within IIS. :( Best wishes, Matthew -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Guest Lanwench [MVP - Exchange] Posted August 27, 2007 Posted August 27, 2007 Re: Tracing a break-in attempt Tom Del Rosso <td_01@att.net.invalid> wrote: > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:OniD2ny5HHA.5844@TK2MSFTNGP02.phx.gbl >> Tom Del Rosso <td_01@att.net.invalid> wrote: >>> On a SBS (2003 R1 standard) somebody has been trying to log in to >>> the RWW as webmaster during the past few days. It produces event >>> ID 529 with logon type 3, but the source IP doesn't seem to be >>> recorded. The server has 2 NIC's, but not ISA. >> >> I'm presuming you have a good hardware firewall appliance between >> your network & the internet - if so, you might check its logs. If you >> don't have a firewall such as this - get one. > > Just a router there. SBS has a software firewall, Yes, but if you're wise, you will not use that. Protect your network with a decent appliance. I don't use two NICs if I'm not going to put ISA onthe box - and I don't want to turn an already busy server into a router, nor expose it to the Internet this way. > and port 443 would > have to be open even with a firewall appliance. > > Yeah it would be nice to have that logging, but it would also be nice > if SBS logged the IP when it logs the event. Evidently it doesn't.
Guest Tom Del Rosso Posted August 28, 2007 Posted August 28, 2007 Re: Tracing a break-in attempt "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:umdfytL6HHA.4584@TK2MSFTNGP03.phx.gbl > > Yes, but if you're wise, you will not use that. Protect your network > with a decent appliance. I don't use two NICs if I'm not going to put > ISA onthe box - and I don't want to turn an already busy server into > a router, nor expose it to the Internet this way. I know. Most of my LANs have a Sonicwall or Watchguard. It's hard to convince some people when they say they got along without it before. -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Lanwench [MVP - Exchange] Posted August 29, 2007 Posted August 29, 2007 Re: Tracing a break-in attempt Tom Del Rosso <td_01@att.net.invalid> wrote: > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:umdfytL6HHA.4584@TK2MSFTNGP03.phx.gbl >> >> Yes, but if you're wise, you will not use that. Protect your network >> with a decent appliance. I don't use two NICs if I'm not going to put >> ISA onthe box - and I don't want to turn an already busy server into >> a router, nor expose it to the Internet this way. > > I know. Most of my LANs have a Sonicwall or Watchguard. It's hard to > convince some people when they say they got along without it before. Definitely.
Guest Dave the Clueless Posted August 29, 2007 Posted August 29, 2007 Re: Tracing a break-in attempt On Aug 26, 4:22 am, "Mathieu CHATEAU" <gollum...@free.fr> wrote: > Hello, > > as best security, the administrator password would be renamed and disabled. > Each administrator would have two account: > -a standard user one for daily tasks (mail/web...) > -an administrator account (a different of each admins) > > -- > Cordialement, > Mathieu CHATEAUhttp://lordoftheping.blogspot.com > > "Anthony" <anthony.s...@spammedout.com> wrote in message > > AFAIK, renaming the Administrator account in SBS is just begging for trouble. Dave
Guest Mathieu CHATEAU Posted August 29, 2007 Posted August 29, 2007 Re: Tracing a break-in attempt You hit it, SBS seems special from up to down ! Why You Should Disable the Administrator Account http://www.microsoft.com/technet/technetmag/issues/2006/01/SecurityWatch/ This list needs to be considered in every environment. For instance, if you run Microsoft Small Business Server (SBS), you need the built-in Administrator account. That account is used by the OS after installation. SBS 2003 Service Pack 1 also will only apply properly if you run it as the built-in Administrator. -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Dave the Clueless" <dave@atrbiotech.com> wrote in message news:1188414034.215012.321790@19g2000hsx.googlegroups.com... > On Aug 26, 4:22 am, "Mathieu CHATEAU" <gollum...@free.fr> wrote: >> Hello, >> >> as best security, the administrator password would be renamed and >> disabled. >> Each administrator would have two account: >> -a standard user one for daily tasks (mail/web...) >> -an administrator account (a different of each admins) >> >> -- >> Cordialement, >> Mathieu CHATEAUhttp://lordoftheping.blogspot.com >> >> "Anthony" <anthony.s...@spammedout.com> wrote in message >> >> > > AFAIK, renaming the Administrator account in SBS is just begging for > trouble. > > Dave >
Guest Gregg Hill Posted August 30, 2007 Posted August 30, 2007 Re: Tracing a break-in attempt I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key word here, but it has been that way for three years. Gregg Hill "Dave the Clueless" <dave@atrbiotech.com> wrote in message news:1188414034.215012.321790@19g2000hsx.googlegroups.com... > On Aug 26, 4:22 am, "Mathieu CHATEAU" <gollum...@free.fr> wrote: >> Hello, >> >> as best security, the administrator password would be renamed and >> disabled. >> Each administrator would have two account: >> -a standard user one for daily tasks (mail/web...) >> -an administrator account (a different of each admins) >> >> -- >> Cordialement, >> Mathieu CHATEAUhttp://lordoftheping.blogspot.com >> >> "Anthony" <anthony.s...@spammedout.com> wrote in message >> >> > > AFAIK, renaming the Administrator account in SBS is just begging for > trouble. > > Dave >
Guest Tom Del Rosso Posted September 1, 2007 Posted September 1, 2007 Re: Tracing a break-in attempt "Gregg Hill" <bogus@nowhere.com> wrote in message news:e13TSvr6HHA.1208@TK2MSFTNGP03.phx.gbl > I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key > word here, but it has been that way for three years. I think he meant SBS doesn't like disabling the account and creating another one with a different RID. Just changing the logon name seems ok. -- Reply in group, but if emailing add another zero, and remove the last word.
Guest Lanwench [MVP - Exchange] Posted September 1, 2007 Posted September 1, 2007 Re: Tracing a break-in attempt Tom Del Rosso <td_01@att.net.invalid> wrote: > "Gregg Hill" <bogus@nowhere.com> wrote in message > news:e13TSvr6HHA.1208@TK2MSFTNGP03.phx.gbl >> I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key >> word here, but it has been that way for three years. > > I think he meant SBS doesn't like disabling the account and creating > another one with a different RID. Just changing the logon name seems > ok. Perhaps it's been fixed now, but there was definitely a bug in SBS wherein the Administrator name was hard-coded into some buried components of Monitoring & Reporting, which prevented it from reinstalling properly. Worked on the problem for *ages* with a level 2 PSS dude until we figured that out. I no longer bother with such security by obscurity. I don't see the point anyway; anyone who's trying to get in is just looking for that well-known SID anyway. You'd only be fending off the completely inept.
Guest Gregg Hill Posted September 2, 2007 Posted September 2, 2007 Re: Tracing a break-in attempt Good points. I did not realize the SID was all that was needed (or is it?). However, let's say one has a terminal server with 3389 open to the Internet (I know a VPN first or firewall authentication first would help). How does the hacker try to get into the TS? Don't they just start with "administrator" and a dictionary or other attack? Gregg Hill "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:%23Y4ZdkL7HHA.3528@TK2MSFTNGP04.phx.gbl... > Tom Del Rosso <td_01@att.net.invalid> wrote: >> "Gregg Hill" <bogus@nowhere.com> wrote in message >> news:e13TSvr6HHA.1208@TK2MSFTNGP03.phx.gbl >>> I renamed mine via GPO without a hitch yet. Perhaps "yet" is the key >>> word here, but it has been that way for three years. >> >> I think he meant SBS doesn't like disabling the account and creating >> another one with a different RID. Just changing the logon name seems >> ok. > > Perhaps it's been fixed now, but there was definitely a bug in SBS wherein > the Administrator name was hard-coded into some buried components of > Monitoring & Reporting, which prevented it from reinstalling properly. > Worked on the problem for *ages* with a level 2 PSS dude until we figured > that out. I no longer bother with such security by obscurity. I don't see > the point anyway; anyone who's trying to get in is just looking for that > well-known SID anyway. You'd only be fending off the completely inept. >
Recommended Posts