If you have file and print sharing enabled to the internet, you are asking
for trouble. Go to
http://scan.sygatetech.com/ and do a self scan. If it
finds netbios ports such as 139 and 445 tcp open to the internet, then that
is where they are getting the information from and attempting the logons. Of
course they can also try to logon to terminal services if that port
[probably 3389 tcp] is open to the world and not specific IP adresses. You
may want to look into VPN solution for the users to access Terminal Services
and printing such as pptp, l2tp, or a firewall ipsec endpoints. L2tp would
be good in that it requires a machine certificate in order for the user to
be authenticated which could incease your security immensely. L2tp does
require machine certificates and will not work over NAT without the
available NAT-T upgrade. I would also suggest that you run the IIS Lockdown
tool on your server, but only after doing a backup of the computer
[including System State] and of IIS configuration via the IIS management
console. You also may look into increasing the setting of "additional
restrictions for anonymous connections" security option which may prevent
the hackers from getting non default account names but will not stop the
connection attempts. Use that setting with care as it can break things and
start with the "do not allow enumeration of sam account and shares or number
"1" first if you want to enable it.--- Steve
http://www.microsoft.com/technet/security/tools/locktool.mspx
http://support.microsoft.com/?kbid=246261 -- use the first "1"setting, but
shows where to find it and what it does and what it can break.