Hello, I'm a noob on WIndows Server 2008. I've setup a Web Server in the last couple of weeks and things seem ok. However I decided to check the event viewer today and I've noticed 1000's of logon attempts. So what is the best practice to ban these people. I would like to rename the Admin and Guest user id's via local policy. Is there anything else I should be doing ? I've seen a post which mentions moving the port for remote connection via windows firewall. Where can I get a list of free ports ? Would be nice for Microsoft to auto ban IP's which after they try say 10 attempts ? I am dumbfounded that I can see all these messages and my server just sits there and allows it to happen over and over and over ( repeat 10K times ).

I'd ask them here about IIS http://forums.iis.net/ Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Why would I ask on the IIS site about logon attempts to the Window Server 2008 ? Ok, I mentioned webserver once I guess that must have threw you. I have a Windows Server 2008 R2 Virtual Personnal Server. Running 1 web site, 1 email site and 1 ftp site. When I look in Event Viewer - the security tab - I see 1000's of logon failed attempts. I've looked for security best practices but cannot find any. I SEEM to remember running a tool to check the server configuration to see if there was something I needed to do via a server management panel ?? I cannot remember the exact details. This passed with about 10 ticks. But the server as setup by my hosting provider did NOT rename the Administration user id nor Guest. So what is the best practice to ban these people. I would like to rename the Admin and Guest user id's via local policy. Is there anything else I should be doing ? I've seen a post which mentions moving the port for remote connection via windows firewall. Where can I get a list of free ports ? I really do not want to lock myself out of the server. I've considered blocking all IP addresses but my own BUT I've checked my IP address from my ISP and it has changed over the last month - so I guess it's a no can do. Any ideas ? BTW the IIS forum is not very good for replies. You sometimes get a reply but most times it takes days to get anything - if at all.

Most likely the logon attempts are the result of the ports that were opened because of those incoming services which is why I suggest that site. They are the experts for IIS and FTP services management. Generally the free ports are the ones you're not currently using. As long as you don't have some service or app client or server-side using it you should be Ok. http://www.sockets.com/services.htm Browse this page from your server to see what's exposed. http://www.canyouseeme.org/ Also https://www.grc.com/x/ne.dll?bh0bkyd2 Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Hello, Thanks for the port checkers I will try them later. The message event ID is 4625 There is a similar forum entry here : http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9a5ea3fc-96f5-492f-9acd-0f865c4ae6e5 However this paragraph does not make any sense to me: "To block the authentication access from the unknown IPnetwork segment, the best solution is to allow the special IPnetwork segment communication though firewall or block the unknown IPnetwork segment again and again by checking the event log." The words segment and special network segment mean nothing to me. I assume the guy means blocking the IP addresses or only allowing IP addresses for my PC during RDC connection ? It unclear what he means as regards which port is actually being targetted. I'm guessing RDC because he mentions it. I understand some of what you are saying however I'm not clear exactly what this message means. I cant even tell what protocol they are using and which port they are targetting. I assume it is a logon and therefore RDC connection - but I guess it might be FTP, although I run with that website shutdown at the moment. I do hope Microsoft has by now stopped allowing 1000's of logon attempts in Windows Server 8, if not then someone give them a nudge ? I cant keep my eyes open any longer gonna have to go to sleep,, they are currently at it at the moment and there is nothing I can do about it... Subject: Security ID: SYSTEM Account Name: my server name Account Domain: my server group Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: root Account Domain: my server name Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x9f0 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: my server name Source Network Address: 80.38.208.79 Source Port: 13608 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

Did you put that webserver in a DMZ directly ? If the user just need web access, maybe a port 80 redirect might really secure the server I got scanned like 100x time a day for commons ports. If someone find your server, and if it's open maybe you get hammered.MCP | MCTS 70-236: Exchange Server 2007, Configuring

Logon type 10 is remote interactive so probably someone trying to RDP in. Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Hi, you can use 3-rd party tools like RdpGuard which allow you to automatically block/unblock attacker's ip address on a Firewall.

I'm the CTO of a swedish cloud computing company called Red Cloud IT and when we started up our cloud services based on Windows in 2009 we quite soon started seeing this problem. We had loads of 4625 errors (brute force/ dictionary attacks) and since the system was already up & running we couldn't just change the ports for our clients to which they connect. That would be a grusome task for us and it would not reflect well on our service. Given the hazzle it would cause for our clients. We also had a lot of similar attacks on the Exchange webmail interface (OWA) and basically on every service that was facing the Internet. Basically what we did each time was we manually looked at the log files, blocked the attacking IP address (when deemed a "background noise" attack ie dictionary attack from a country where none of our customers are, traced the IP address to where it originated to make sure it wasn't something important and after that we decided whether it should be a matter for further investigation. At night, no one was checking this at all which meant that an attak could go on all night before someone actually took care of it. The situation was not sustainable to say the least. We did som experiments with using a fake route to the offending IP but the RDP services seemed to stop working because of that (my guess is that when the connection is attempted, the RDP server of course tries to reply back and since it cant reach the IP in question, the IP stack runs into trouble). We accomplished this by triggeriing a .vbs script from the Task Sceduler. We realized that this would become an administrative nightmare further down the road as our customerbase grew. We started looking for software that could help us out and we did have a few requirements. We found a few good scripts that could help us do the moste basic tasks really. Autoblocking the IP and so on but we also realized after a while that we also needed the ability to white list stuff (say the server IP segment for instance, if a domain admin changed a password somewhere , one of the servers would just block the originating server believing it was being brute forced). One of our concerns was also that if we were to be more and more techies, they too would have to understand every aspect of the scripts and how to modify them if needed and that just wouldn't do. What we wanted was a software with an easy to understand GUI to create rules and so on without having to send people to courses for actually handling a problem that should be handled automatically within the OS. In retrospect (and I suppose this is for future generations) I would have done these things: Changed the RDP port to a non standard on (the drawback might be that some firewalls will not let you connect so that might be a problem) Used the TS Gateway service only (on TCP port 443), although that wouldn't actually help us get rid of this problem (since it would be facing the Internet and available for everyone) If we'd had the means , we'd probably set up an IDS / IPS but unfortunately, they're quite costly to implement and not that easy to administer and they do require more hardware in the datacenter. VPN connections for each customer/user would be far to complex and costly Basically what we did , we developed a software that meets our requirements and it will actually be out for public release soon (we belive it will be in July/August 2012) Keep an eye out on http://www.syspeace.com In essence, what it does is It complies with the rules we've set up ( if this IP addres fails to log in X number of time during the timeframe of Y the block it on ALL ports for Z amount of time ) X being number of failed tries, Y being for instance 30 minutes and blockpreiod being for instance 2 hours. We have an easily understandable GUI for setting up rules and seing the rules that are active.