TRI-C wrote:

> Would like to know how to prevent someone from accessing the server remotely.

Disconnect it from the Internet...

> Periodically, I see a high number of LOGON FAILURES where someone in the
> world is trying to gain access to our server (SBS 2003) remotely and entering
> a myriad of different user names. Is there a way to set a policy to allow a
> maximum number of attempts from an IP address?

Not as far as I know. You can take steps to minimise risks, only
permitting VPN and RWW access to those who need them, but whatever
services you open will be at risk from poor passwords of those who are
allowed to use them. If you receive mail by SMTP, there will be frequent
probes for port 25 followed by attempts at authenticated relaying, which
all users are permitted to try. If you don't allow authenticated
relaying, it doesn't matter who hammers on the door.

If you are allowing remote connections, there are ways of improving
security of both RWW and VPN that do not involve passwords, but there's
no way of telling how useful or cost-effective that would be. Virtually
no network compromises result from outside attacks these days, pretty
much all the trouble comes from unwary users executing some kind of
malware, whether by web browsing or email. There are various ways of
minimising these risks, but they don't involve defending the network
from direct outside assault.

There's not really much point in IP address lockouts, as most attackers
will not stick to a single address for any length of time, and lockouts
must expire eventually. Having said that, I keep an eye on the firewall
logs of one site, purely out of curiosity to see what's fashionable, and
there's a Chinese IP address which tries to find a web proxy about once
an hour, for the last couple of years. He didn't find it the first day,
and he's never going to find it, as it doesn't exist, and there's no
point in getting irritated by his persistence. On the other hand, my
mail server logs show failed NDR spam attempts, and there's rarely more
than about four attempts from one address, then the same crop of names
appears from a different continent half an hour later. Anyone playing
this game normally has a fairly large pool of stolen IP addresses to
work with.



You can impose lockouts on users after a number of failed logon
attempts, but if the attack is automated, as almost all are, the user
names will not be known anyway. Running a dictionary attack without
knowledge of user account names, and at typical DSL speeds, is not a
practical proposition. The automated attackers are hoping to get lucky,
finding a JSmith who is using the password 'secret', or maybe even an
Administrator/'password'. The server Administrator account cannot be
locked out. Rename it if you like, but more importantly, give it a huge
and totally uncrackable password and never use it.

There really is no substitute for good passwords. You need to impress on
the remote users that their passwords are all that stands between the
network and the bad guys. I'm sure you know you can impose password
policies, but they are never popular and often result in outbreaks of
inappropriate Post-Its. It's better to convince them that they'll be
extremely ashamed if someone breaks into the network because of their
laziness. And you *will* know it was them...

--
Joe

There ARE alternatives to password issues, and a password should not be the
only thing between the bad guys and your network. TFA, in some form or
another, is a viable improvement to simple passwords, and can be implemented
quite cost effectively on an SBS network.

--
Charlie.
http://msmvps.com/blogs/russel




"Joe" <joe@newsgroup> wrote in message
news:uTPgPO9uKHA.5940@newsgroup

> TRI-C wrote:

>> Would like to know how to prevent someone from accessing the server
>> remotely.

>
> Disconnect it from the Internet...
>

>> Periodically, I see a high number of LOGON FAILURES where someone in the
>> world is trying to gain access to our server (SBS 2003) remotely and
>> entering a myriad of different user names. Is there a way to set a policy
>> to allow a maximum number of attempts from an IP address?

>
> Not as far as I know. You can take steps to minimise risks, only
> permitting VPN and RWW access to those who need them, but whatever
> services you open will be at risk from poor passwords of those who are
> allowed to use them. If you receive mail by SMTP, there will be frequent
> probes for port 25 followed by attempts at authenticated relaying, which
> all users are permitted to try. If you don't allow authenticated relaying,
> it doesn't matter who hammers on the door.
>
> If you are allowing remote connections, there are ways of improving
> security of both RWW and VPN that do not involve passwords, but there's no
> way of telling how useful or cost-effective that would be. Virtually no
> network compromises result from outside attacks these days, pretty much
> all the trouble comes from unwary users executing some kind of malware,
> whether by web browsing or email. There are various ways of minimising
> these risks, but they don't involve defending the network from direct
> outside assault.
>
> There's not really much point in IP address lockouts, as most attackers
> will not stick to a single address for any length of time, and lockouts
> must expire eventually. Having said that, I keep an eye on the firewall
> logs of one site, purely out of curiosity to see what's fashionable, and
> there's a Chinese IP address which tries to find a web proxy about once an
> hour, for the last couple of years. He didn't find it the first day, and
> he's never going to find it, as it doesn't exist, and there's no point in
> getting irritated by his persistence. On the other hand, my mail server
> logs show failed NDR spam attempts, and there's rarely more than about
> four attempts from one address, then the same crop of names appears from a
> different continent half an hour later. Anyone playing this game normally
> has a fairly large pool of stolen IP addresses to work with.
>
> You can impose lockouts on users after a number of failed logon attempts,
> but if the attack is automated, as almost all are, the user names will not
> be known anyway. Running a dictionary attack without knowledge of user
> account names, and at typical DSL speeds, is not a practical proposition.
> The automated attackers are hoping to get lucky, finding a JSmith who is
> using the password 'secret', or maybe even an Administrator/'password'.
> The server Administrator account cannot be locked out. Rename it if you
> like, but more importantly, give it a huge and totally uncrackable
> password and never use it.
>
> There really is no substitute for good passwords. You need to impress on
> the remote users that their passwords are all that stands between the
> network and the bad guys. I'm sure you know you can impose password
> policies, but they are never popular and often result in outbreaks of
> inappropriate Post-Its. It's better to convince them that they'll be
> extremely ashamed if someone breaks into the network because of their
> laziness. And you *will* know it was them...
>
> --
> Joe

Hello,

You did not specify what type of Logon. NETWORK, SMTP, TS, HTTP-OWA?

Generally speaking,

1. Enforcing a strong password policy (Local and Domain) makes these
types of attacks (dictionary attacks and brute force attacks) very
difficult to succeed.
2. Set an Account Lockout Policy for Local and Domain lockout max 10
attempts with at least 30 min intervals.
3. As Charlie Russel mentioned, get a router that lets you drop
packets from the source IP where the attacks originate
4. Contact abuse@ their ISP and complain. (www.arin.org) the ISP will
typically put and end to it.
5. As Joe mentioned, figure out what's annoying you and what's really
dangerous and don't worry about the annoying stuff. Too many script
bunnies out there for you to get all worked up.

Also, are the myriad of use names random or do they match those in
your AD? If so, they may have enumerated your AD. I would check that
out.

Finally, 100% agree with Joe, there is no substitute for a good p@$
$W0rD.


Miguel Fra / Falcon ITS
http://www.falconits.com
http://sharepoint.falconits.com