Protocol Logging

[redhale3]

Logon Failure:
Reason: Account currently disabled
User Name: guest
Domain:
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name:
Caller User Name:
Caller Domain:
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4564
Transited Services: -
Source Network Address: 66.235.95.143
Source Port: 1963

I have several clients using Windows Small Business Server. Because they use Remote Web Workplace and Outlook Web Access, their are certain ports that I have to leave open. One of the ports is 3389 for RDP. I constantly see attacks where someone is trying to break into the network through this port. You can see an example above. I have blocked off a lot of the world which has really reduced the number of these attacks. However, I am still getting hit by a lot of the knuckleheads in this country. I have begun reporting these people to their ISP's. The ISP's may not do anything, but I'm hopeful. To log this, I have set Protocol Control to log every protocol. However, these don't show up when I go back and look at the event log. Does anyone know why they wouldn't be logged? Is there a better way to log these attacks?

[hlarsen]

i'm fairly sure you don't need to forward 3389 from the outside for those to work.

(i could be wrong)

[dwasserman]

There are some rogues out there doing rdp attempts to access by using some kind of dictionary attack.
What I do is to strengthen security policies: Maximum failed login attempts: 3, then disable the account for 15 minutes.
This often weary and desist in their attempts

[redhale3]

I already have that policy set. They just keep using different usernames and passwords.

[redhale3]

With SBS 2008 and 2011 you don't have to open port 3389. These clients are using SBS 2003 and it is supposed to be open for RWW.

[sky-knight]

Or you can stop exposing RDP at all, and RDP over VPN.

[redhale3]

Thanks, Rob. I've already thought of that. However, we're using Remote Web Workplace so that users can login using any browser from any computer. Obviously we can't set up a VPN on all of them. I really want to find a way to log these attacks. Most of the ISP's request log information that shows originating IP, destination IP, and ports used, etc.

[dwasserman]

In firewall app you can create a rule
action: pass
log: check mark
destination address: your internal windows server running terminal server and IIS
dest port:3389

I have serious doubts that any ISP take your complaint seriously

[sky-knight]

Sorry I missed that you were using RWW. If you're tracking an attack on your terminal gateway service then the approach that dwasserman suggests is the best you're going to get on Untangle.

The problem is, that will log ALL rdp traffic, not just the attack. I would look into Microsoft's documentation and see if you can't get the SBS server to increase its logging detail. Otherwise, you're going to have attack records in the event viewer, and be stuck trying to match them to a network firewall log in the Untangle.

[redhale3]

Well this is embarrassing. I did configure the firewall to log that and it did. For some reason, I thought I had checked the log and it wasn't there.