too many login attempts from Internet

[Enrique Garcia]

I turned on auditing to monitor login attempts on Windows 2000 Server, and I
found out that I'm getting a continuous stream of failed login attempts
using different user accounts from the Internet. We have a firewall, but the
login attempts are going right through. Without disconnecting the server
from the Internet, is there any way I could stop this?
Any help would be appreciated.
Thanks,
Enrique

 

[Dave]

fix your firewall, its either not working or is configured improperly.

 

[Enrique Garcia]

How do you fix/configure the firewall to descriminate from what appears to
be normal loggin attempts without blocking real attemtps?

 

[Dave]

you have users that are trying to login to user accounts on your server from
the internet?? is this for normal file and print sharing for your
organization or are these failed logins to a web service?

 

[Enrique Garcia]

We have 600 employees, and they require loggin for a variety of
applications, from online tutorials, web services, printing, terminal
services, http file downloads, etc.

The accounts that are getting the failed loggin attempts are usually the
built in accounts, even if we change the name of the account it continues to
happen. Somehow they are able to acquire valid account names.

thanks for you info,
Enrique

 

[Dave]

but do they require login from the internet or just from your lan? if they
have to come in via the internet you should look into a vpn solution and
close the holes in your firewall. it is easy with netbios exposed to the
internet to get a listing of accounts on a machine then start an attack to
guess passwords. eventually someone will get in and compromise your
network, the best you can do is to require strong passwords and change them
often, and be sure to enable lockouts after just a couple failed login
attempts to help slow down the password guessers.

 

[Steven L Umbach]

If you have file and print sharing enabled to the internet, you are asking
for trouble. Go to http://scan.sygatetech.com/ and do a self scan. If it
finds netbios ports such as 139 and 445 tcp open to the internet, then that
is where they are getting the information from and attempting the logons. Of
course they can also try to logon to terminal services if that port
[probably 3389 tcp] is open to the world and not specific IP adresses. You
may want to look into VPN solution for the users to access Terminal Services
and printing such as pptp, l2tp, or a firewall ipsec endpoints. L2tp would
be good in that it requires a machine certificate in order for the user to
be authenticated which could incease your security immensely. L2tp does
require machine certificates and will not work over NAT without the
available NAT-T upgrade. I would also suggest that you run the IIS Lockdown
tool on your server, but only after doing a backup of the computer
[including System State] and of IIS configuration via the IIS management
console. You also may look into increasing the setting of "additional
restrictions for anonymous connections" security option which may prevent
the hackers from getting non default account names but will not stop the
connection attempts. Use that setting with care as it can break things and
start with the "do not allow enumeration of sam account and shares or number
"1" first if you want to enable it.--- Steve

http://www.microsoft.com/technet/security/tools/locktool.mspx
http://support.microsoft.com/?kbid=246261 -- use the first "1"setting, but
shows where to find it and what it does and what it can break.