Re: Failed Login Attempts-Non Existent Accounts

From: JM_Metal (JMMetal_at_discussions.microsoft.com)
Date: 03/25/05

  • Next message: Alun Jones [MSFT]: "Re: QuickBooks and its users" 
    Date: Fri, 25 Mar 2005 07:05:08 -0800

    Thanks Steven---We do run the MSBA and it has helped plug some holes, and we
    tightened up as much as possible on services. The perf logs and alerts link
    looks like a good place to start.

    Jeff

    "Steven L Umbach" wrote:

    > First I would make sure that your firewall is correctly configured and that
    > the server is properly hardened in that unnecessary services are disabled.
    > MBSA can help you with that and keep in mind that file and print sharing
    > should be disabled on servers that do not need it and all external network
    > adapters. If you have file and print sharing ports exposed to the internet
    > you certainly will get hit with a lot of brute force password attacks. If
    > you deny the IP address at your firewall device it should not degrade the
    > server's performance. You might be able to use performance monitor to alert
    > you is failed logon attempts go beyond a threshold you define. --- Steve
    >
    > http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
    > http://scan.sygatetech.com/ --- check your firewall here [basic check]
    >
    > "JM_Metal" <JMMetal@discussions.microsoft.com> wrote in message
    > news:FFE8407F-4CFD-4E15-838E-65F2F1551157@microsoft.com...
    > > Hi All,
    > >
    > > We have a W2K3 server getting hit with login attempts to acounts that do
    > > not
    > > exist (ex: admin) on the server (brute force DOS attempts maybe). I can
    > > deny
    > > access when I see the IP address of the offender, but performance is
    > > degrading during the attack. Is there a util that will report via e-mail
    > > or
    > > pager when an login attempt hits a pre-defined threshold, or shut them out
    > > immediatly?
    > >
    > > I have policies in place to limit failed login attempts for legit
    > > accounts.
    > > I could not find any native windows functions for this. Any help is
    > > greatly
    > > apprciated.
    > >
    > > Thanks,
    > > Jeff
    > >
    >
    >
    >

  • Next message: Alun Jones [MSFT]: "Re: QuickBooks and its users"

    Relevant Pages

    • Re: Printing Problems (2nd request)
      ... lpstat: Unable to connect to server: Connection refused ... # Encryption: whether or not to use encryption; ... got two printers connected, both of which used to work fine. ... Deny From All ...
      (Fedora)
    • apache2: includes filter error
      ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Deny from all ... AddCharset ISO-8859-1 .iso8859-1 .latin1 ...
      (Debian-User)
    • Re: I will show you mine if ...
      ... As I do have servers on the net, things are configured as a DMZ ... Since the bridge filter is not addressable, it can only deny ... DMZMAIL=IP address of the mail server ... Port definitions, as a range lowport-highport ...
      (comp.os.linux.security)
    • Re: Clarification-Win2k Netstat sockets interpretation
      ... PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports 136,137,138,139,445 'listening in TCPVIEW and S&D Processes??? ... Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware, Dlink router setup,all the Ibuddie drivers for NICard THEN...disable a dozenservices,remove FILE&PRINT SHARING, T-BIRD,FIREFOX and configure the Dlink WLan enable the Dlink WAN, clone the Mac address, set the lame software defaults to block mobile code, not save any ... it is hard not to add to the problem by naivley being a server for malcode and redirection and providing safe haven for code that should be nuked. ...
      (alt.computer.security)
    • Re: Help! Im new and have many questions!
      ... I have just downloaded the SBS 2003 guide so that I can learn ... Thanks Jeff for your ... > even if you were able to get the server software installed which is not good ... install any of my MCFEE virus software ...
      (microsoft.public.windows.server.sbs)