How to block bots from attempting administrator login (windo

[sstonemaker]

Hi:

I blocked remote desktop default port 3389 from all but my local ip address through an adjusted firewall rule, but it did not stop a bot from successfully attempting to access the server. The firewall rule works, because I tried entering a different ip address from my local ip address, and it disconnected me from remote desktop - as expected.

My question is, could bots be attempting login through a different port or protocol? It would appear to me that something is exposed, and that they are not overriding the firewall rule. Note, the Server service has also been disabled.

Any info would be helpful.

[Edge100x]

I'm about to log off for the night, but I thought I'd post at least a quick response --

There are many other Microsoft services that use authentication and may be worth disabling. You can get a list of all of the listening servers on your machine from the command prompt with this command:

Code: Select all

netstat -ano

Under the "PID" column, you can see which process corresponds to each port. Then you can turn on the PID column in the task manager (under View->Select columns) to match them up through the "Services" page (if you run Win2k8/Win2k8 R2). If you don't have a "Services" page, you can use the "tasklist /svc" command from the command line to find them instead.

I'd recommend exploring each service that runs on a port and deciding if it's something you use and need. If not, disabling it is worth a try.

You could also use a firewall to block whatever traffic you don't want hitting the server.

[sstonemaker]

I followed the procedure, and I don't quite know the impact of disabling certain services, so I am highly cautious. But I wonder how any of these services can be used to attempt authentication on the server? Isn't authentication reserved for certain port(s), and via TCP? This is the part that has me confused.

I don't see how anything should be able to access the server itself without first authenticating via RDP (or some other "front door"), unless there is an entry point elsewhere on the network.

I'm trying to figure out what "front door" is being utilized to attempt Administrator login, since my firewall rule on port 3389 appears to be in effect, and there are still unauthorized attempts to access the server, which the firewall should be stopping altogether.

Perhaps I have a misconception of "front door" access, but this can apply to any entry point which can be used to actually log into the server as Administrator.

[sstonemaker]

One other tidbit to add to my response above:

I've modified the default Remote Desktop firewall rule to only allow access from my local ip address (remote to the server). Please let me know the potential that my ip address is being successfully spoofed.

[Edge100x]

I'd have to see the exact access log messages to know for certain, but multiple services (running on multiple ports) support authentication in Windows. Terminal services is just one of them; the "server" service is one other. RDP is actually not a very common point of entry for authentication-based attacks.

Firewalling off everything but your personal IP is a fairly drastic measure that will affect your flexibility to access the server. I would recommend that you change the terminal services port instead, and use a secure password.

It's not possible to spoof your IP for use in an ongoing TCP connection, since bidirectional communication is involved.

[sstonemaker]

Below are the details from a failed security audit (from event viewer). According to the explanation at the bottom, these attempts could be coming from the network via Server service. And Logon Type 3 confirms this to be a network attempt.

However, Server service had already been disabled. So I am unclear now as to how this can be attempted.

And certainly, I am cautious to this extent, because these are static measures that I can put into effect, and focus my energy elsewhere.

==================================================
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator
Account Domain: SERVER22826

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: SERVER22826
Source Network Address: 173.236.52.50
Source Port: 3778

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

==================================================

[Edge100x]

I don't see anything there that mentions the "server" service -- that one could also be from RPC.

The netstat line that I mentioned will tell you all ports that you have open. You can always add firewall rules to just block each of those ports, if you aren't sure which service to try shutting down, and you just want to stop seeing those notes in your log. Or, if you see a single IP making a lot of attempts, you can block just that source IP.

Seriously, though, I wouldn't worry about this. Automated scripts from zombie computers are constantly testing pretty much every internet-connected IP for basic username/password combinations (like "Administrator/password123" and so on). It's a very well-understood situation that has been constant for the last 10+ years, and Windows services are designed with it in mind (limiting the number of tests that can be performed per second per IP, and so on). If you have a secure password, this type of automated attempt is not a concern.

[DontWannaName]

What happens when your ISP decides to change your IP and you cannot login to your server? NFO to the rescue?

[sstonemaker]

Thankfully, NFO lets you connect to VDSs via VNC client also - which I believe uses a separate VNC server on their network. So when my ISP changes my IP address, which isn't very often, I simply connect via VNC client, adjust the firewall rule with the new scope/ip, and carry on with my business.

Simple and trouble-free, with reasonable security benefits.

[DontWannaName]

If you were colocating you would pay 150 an hour for someone to undo that rule in Windows.