Windows Server - RWW Security

Asked By John on 30-Mar-08 11:57 AM
Hello All - I implemented RWW with great success over 3 years ago.  I love
it, the other employees, most importantly, my boss loves it.  Recently,
however, we have been getting what appears to be hack attempts. Listed below
is the error from the performance report.  We have been getting various
attempts of this kind from user names "guest" as well as "administrator".
The guest account is disabled and we changed the admin user name to something
more secure.  We have also received logon attempts that say logon type 3
(local) but the user account is IUSR_TSTDC1 which would indicate an IIS logon
which I thought would say "10" as the logon type.  Is this something that I
should be concerned about or is it some Port scanner batch file type thing
and as long as I keep strong password policies I should be OK?  Thanks in
advance.

Logon Failure:
Reason:	Unknown user name or bad password
User Name:	webmaster
Domain:
Logon Type:	3
Logon Process:	Advapi
Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:	TSTDC1
Caller User Name:	TSTDC1$
Caller Domain:	TSTLOCAL
Caller Logon ID:	(0x0,0x3E7)
Caller Process ID:	3964
Transited Services:	-
Source Network Address:	-
Source Port:	-




Charlie Russel - MVP replied on 30-Mar-08 12:20 PM
It sounds like you've done what you should be doing. I personally think RWW
is more secure than straight RDP, but I go a step further - I've installed
Scorpion Software's RWWGuard, using their AuthAnvil tokens.
(http://www.scorpionsoft.com - no direct affiliation, except that the owner
is a fellow MVP I have known for several years.)

RWWGuard adds an additional layer of security onto RWW by using two-factor
authentication. Not only do you need to know the username and password of
the domain account, but also a PIN + a one-time password (OTP). The best
part is, it's "SBS Aware" and completely integrated with RWW so your login
looks just like regular RWW, except there's an additional field for the
PIN+OTP.

RWWGuard works with third party OTP's, such as CryptoCard, SecurID, as well
as their own AuthAnvil. AuthAnvil is usually a good deal cheaper, since it's
sold in smaller minimum quantitites appropriate to an SBS business.

--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel
Joe replied on 30-Mar-08 12:52 PM
There's also a free (other than time) additional security option on IIS,
which is to require a client certificate to access the default web site.
This covers RWW and OWA, as well as the other web services (e.g.
certsrv, so make sure the certificates are created before enabling this).

It is also then required for access from the LAN, so make sure everyone
has valid certificates first. SBS does issue them on creation of the
users, but does not appear to renew them when they expire. The
certificate is exported from a browser on the LAN in encrypted form,
using a password, and can be installed into remote browsers.