Question : Server Security

Hi all

In the security logs I have repeated failed log in attempts

This is the error

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Admin
       Domain:            Domain
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      server-242424
       Caller User Name:      server-242424$
       Caller Domain:      Domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      3544
       Transited Services:      -
       Source Network Address:
       Source Port:      1065

Every time  this error aperies  it seems to be on a different port
Every hour or so the user name changes

I am worried that this is someone trying to hack into this server

I done use the usual username for the administrator account and the guest account is renamed and disabled

Is there anything I can do to stop this IP address connecting to my server

Also I need to lock down this server without affecting users to much

Any advice would be greatly appreciated


PS.  the server is SBS 2003

Answer : Server Security

"Is there anything I can do to stop this IP address connecting to my server"

This depends on what firewall solution is installed. I currently use Microsoft ISA Server 2004 to protect a ~50 node SBS 2003 network and if I wanted to block a specific IP these are the steps I would take:

1) Open the ISA Server Management console.
2) Expand the (computer name) node and click Firewall Policy.
3) On the Tasks panel click Create New Access Rule.
4) Enter an Access Rule Name such as 'Global IP Blacklist'. Click Next.
5) Choose Deny for the action to take when rule conditions are met.
6) Choose 'This rule applies to:' All Outbound Traffic. Click Next.
7) On the Access Rule Sources screen click the Add button.
8) On the Add Network Entities screen click the down arrow beside the New menu option and choose Computer.
9) Enter a meaningful Name to identify this computer and add the Computer IP Address of the computer you wish to block.
10) Click OK, then on the Add Network Entities window expand the Computers node.
11) Double-click the Computer we just added and click Close.
12) On the Access Rule Sources dialog click the Next button.
13) The next screen should be Access Rule Destinations. Click the Add button.
14) Expand the Network Sets node and double-click the All Protected Networks object.
15) Click Close, then click Next on the Access Rule Destinations dialog.
16) On the User Sets screen ensure that 'this rule applies to...' All Users. Click Next and Finish.

Hopefully this helps. If you are not using ISA Server I can help you find an alternative solution but I must know what firewall solution you currently use.

Random Solutions  
programming4us programming4us