Brute force attacks on Windows 2003 terminal server... what to do? 2

[1LUV1T]

Hey all, I am in need of urgent advice concerning a *critical* issue. Since about two weeks ago, I have log records of [unauthorized] Login Failures happening on my Terminal Server at off-peak records. I am using LANGuard Log Event monitor to help alert me to these things, so I have all the records:

Logon Failure:
Reason: Account currently disabled
User Name: administrator
Domain: MyDomain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TSServer
Caller User Name: TSServer$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 10732
Transited Services: -
Source Network Address: 216.241.54.50
Source Port: 17369

This set off a red alert for me because the administrator account is and always has been disabled. What is the proper response to an intrusion? Never really had to go on the defense on behalf of a client before.

 

[tfg13]

I still think that Hondy has a point with what ports are open. Doesn't take anything to "know" which servers responded to the rdp port. Once the IP info is known, it's easy for a malicious person to run nmap, and get all the open ports all over again.

I would rather see Hondy's idea of not allowing anything into the network, unless it's the VPN connection.

Has there been a DMZ set up? Besides your firewall, and VPN, what other devices have you considered to assist in the security of the network?

Just for fun, have you looked to see if there happens to be any info on the company on the internet? Specifically, look for "infile:*.rdp" from Google. There could be a link that someone at some point posted on the net, which will invite a bunch of bad guys.

Keep looking through you firewall logs and your system logs, and creating the ACL's as needed. It will be an ongoing fight, but it will be worth it as long as the company remains off of the "compromised" list.