Windows 2000 Log in Attempts

[Dreddnews]

At my internship we are seeing a reoccurring amount of log in attempts as Administrator on our DMZ and now starting on some of our remote clients. In some cases there is so many attempts to log in as Administrator that the PC was slowed to a crawl. In one case over 10 days over 2200 attempts were made on one client PC. What could be causing this and how do we protect ourselves from this occurances? Thanks for any help. BTW: all service packs and patches from Microsoft have been applied.

 

[smah]

Probably someone is attempting a dictionary attack. A program that just keeps attempting to log in with every word in the 'dictionary' as a password, hoping you haven't followed good practices with your passwords.

How to stop it - take the server out of the dmz and enable a firewall. If this isn't possible for whatever reason, there should be some method of denying multiple failed requests from a particular ip address - aka a lockout feature. You don't specify the os, so without more specifics, that's as far as I can go.

 

[smah]

Oops, after I submitted that, I noticed that you did provide the OS in the heading. Search the MS Knowledge base for 'failed attempt lockout'.

 

[ststokes]

The first piece of advice here would be to always rename the plain old Administrator account to something else. Just name it something that the remote person would not guess.

For a Windows server you can set account lockout in the Local Security Settings. Or if the server is in a Win2K domain it is in the Domain Security Policies. Both are under Account Policies, Account Lockout. It is usually a good idea to set these to a reasonable number. But remember, make sure you have another admin level account to use to get into the server. Otherwise these attempts will lock you out too.

The best course of action would be to check your firewall or Internet logs to see where these attempt are coming from and block that person there. That way the server will never even see the attempts.

 

[Dreddnews]

At our home office it isn't so much a problem to block them on the firewall. But the remote sites are just set up on a roadrunner cable connection straight to the computer. We have over 20 of these remote sites across our region. The connect to our domain thru a sonic wall VPN. How to we prevent on those PC's from being hit. We have no implemented the account lockout on the domain. Thanks

 

[ststokes]

The absolute first thing that I would do would be to put some type of firewall software on the remote machines. Connecting any pc or server up directly to the Internet without any kind of protection is just asking to get hacked. For an inexpensive solution I'd recommend Black Ice. I have been using it at home forever and use it in situations just like this. Where customer sites have DSL or cable modems and can't really justify the expense of a complete firewall solution. Black Ice lets you configure who can and cannot access a system and how. It is also only $29.95 a copy.

http://blackice.iss.net/index.php