> Would like to know how to prevent someone from accessing the server remotely.
Disconnect it from the Internet...
> Periodically, I see a high number of LOGON FAILURES where someone in the
> world is trying to gain access to our server (SBS 2003) remotely and entering
> a myriad of different user names. Is there a way to set a policy to allow a
> maximum number of attempts from an IP address?
Not as far as I know. You can take steps to minimise risks, only
permitting VPN and RWW access to those who need them, but whatever
services you open will be at risk from poor passwords of those who are
allowed to use them. If you receive mail by SMTP, there will be frequent
probes for port 25 followed by attempts at authenticated relaying, which
all users are permitted to try. If you don't allow authenticated
relaying, it doesn't matter who hammers on the door.
If you are allowing remote connections, there are ways of improving
security of both RWW and VPN that do not involve passwords, but there's
no way of telling how useful or cost-effective that would be. Virtually
no network compromises result from outside attacks these days, pretty
much all the trouble comes from unwary users executing some kind of
malware, whether by web browsing or email. There are various ways of
minimising these risks, but they don't involve defending the network
from direct outside assault.
There's not really much point in IP address lockouts, as most attackers
will not stick to a single address for any length of time, and lockouts
must expire eventually. Having said that, I keep an eye on the firewall
logs of one site, purely out of curiosity to see what's fashionable, and
there's a Chinese IP address which tries to find a web proxy about once
an hour, for the last couple of years. He didn't find it the first day,
and he's never going to find it, as it doesn't exist, and there's no
point in getting irritated by his persistence. On the other hand, my
mail server logs show failed NDR spam attempts, and there's rarely more
than about four attempts from one address, then the same crop of names
appears from a different continent half an hour later. Anyone playing
this game normally has a fairly large pool of stolen IP addresses to
You can impose lockouts on users after a number of failed logon
attempts, but if the attack is automated, as almost all are, the user
names will not be known anyway. Running a dictionary attack without
knowledge of user account names, and at typical DSL speeds, is not a
practical proposition. The automated attackers are hoping to get lucky,
finding a JSmith who is using the password 'secret', or maybe even an
Administrator/'password'. The server Administrator account cannot be
locked out. Rename it if you like, but more importantly, give it a huge
and totally uncrackable password and never use it.
There really is no substitute for good passwords. You need to impress on
the remote users that their passwords are all that stands between the
network and the bad guys. I'm sure you know you can impose password
policies, but they are never popular and often result in outbreaks of
inappropriate Post-Its. It's better to convince them that they'll be
extremely ashamed if someone breaks into the network because of their
laziness. And you *will* know it was them...