Thursday, November 27, 2014

Windows Server: prevent anonymous login and ban IP of attacker

On Windows Server 2008 R2 / Windows Server 2012 you can disable anonymous login by using Local Group Policy Editor. To open the Local Group Policy Editor: click Start button, key gpedit.msc in the Start Search box, and then press ENTER.

Under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions, there are 6 policies to control what information can be accessed anonymously:
1. Network access: Allow anonymous SID/Name translation
2. Network access: Do not allow anonymous enumeration of SAM accounts
3. Network access: Do not allow anonymous enumeration of SAM accounts and shares
4. Network access: Let Everyone permissions apply to anonymous users
5. Network access: Named Pipes that can be accessed anonymously
6. Network access: Shares that can be accessed anonymously

Just disable policy 1 and 4, enable policy 2 and 3, and clear empty for policy 5 and 6.

Disabling anonymous login is not enough for preventing attempts to attack your Windows Server, you should buying & install an application like Symantec Endpoint Protection to protect your server with advance functions.

However if your server just run SQL server and you use Remote Desktop to remote the server, you can do a security layer by your self. The first thing is you should change the default service port of Remote Desktop and SQL server. The second thing is you should use IPBan written by Jeffrey N. Johnson, it is a free tool tracking any IP that invokes services on your server and when number of fail events reaches to a predefined threshold, it will block the IP in the Windows Advanced Firewall by using a Blocking rule there.

If you like coding, you can download the code of IPBan from here. If not, you can download its binary from here (required .NET Framework 4). Below are main configurations for making it up & run:
1. Config Remote Desktop Session Host Configuration to log IP address in event log. To run it: click Start button, key Remote Desktop Session Host Configuration in the Start Search box, and then press ENTER. Double click the connection RDP-Tcp to change encryption settings to native RDP encryption. See the picture below for howto. After finishing, please reboot your server.


2. Copy IPBan binary to a folder, e.g. D:\IPBan. Then open and modify IPBan.exe.config file. Below are some rules that you should learn:
       2.1 Group rules, for example:
<Group>
<Keywords>0x90000000000000</Keywords>
...
<XPath>//Provider[@Name='MSSQLSERVER']</XPath>
...
</Group>
This group is used for tracking Application events for logging on to MS SQL server which having keyword 0x90000000000000, see the following captured image in Application events for more detail:

In this case, Provider is MSSQL$SGSQL2012, so we'll change MSSQLSERVER to MSSQL$SGSQL2012.

     2.2 Rule for attempts before banning
<add key="FailedLoginAttemptsBeforeBan" value="5" />

     2.2 Ban time rule (DD:HH:MM:SS)
<add key="BanTime" value="00:00:30:00" />

     2.2 Log file rotation rule
<target name="logfile" xsi:type="File" fileName="${basedir}\logfile.txt" archiveNumbering="Sequence" archiveEvery="Day" maxArchiveFiles="28" />

3. Create IPBan service and start it
#sc create IPBan type= own start= auto binPath= D:\IPBan\ipban.exe DisplayName= IPBan
#net start IPBan

That's all. Now you can monitor your server under your way.
Any comment is welcome!

Subscribe to RSS Feed Follow me on Twitter!