Syspeace for internal brute force protection on Windows Servers
After installing Syspeace, the tech guys started getting notifications that their Exchange Server was trying to log in to another server and it was rejected. There was no reason for this server to do so whatsoever and it had not been noticed earlier, so it’s hard to say when it actually started.
After disabling the whitelist for the LAN at the customer site they started getting mail notifications that every workstation on their LAN was actually trying to login to various servers using various usernames and passwords, hence a brute force attack/dictionary attack from the inside.
Most likely a trojan has been planted somewhere and has infected the rest.
This is a fairly simple example of how Syspeace can actually reveal a security breach a customer wasn’t even aware of that had occurred.
It is totally up to any customer to use whitelists for the LAN, but as a precaution, I personally wouldn’t recommend it since it actually gives you a great heads up that something has happened if a computer or multiple computers suddenly start to try and login to servers they’re not supposed to.
As a system administrator, you get the chance to get attacks automatically blocked, logged, traced, and reported, and you can have a closer at the computer responsible for the attack or have a word with the user to see what’s going on.
You can even create extensive reports on all activity originating from that user or computer using the Access Reports section in Syspeace to get a more clear view of how long it’s been trying and so on.
Since Syspeace automatically protects failed logins using Winlogon authentication, your Windows servers are also protected from computers/users trying to use the “net use” or “map network drive” with invalid logon credentials trying to access shares they’re not supposed to.
If you don’t have processes in place for scanning logs, saving them, and monitoring every login activity, it will become a gruesome task even to know if there’s something going on at all. You simply won’t have the tools to do so.
Have your own servers run the fully functional Syspeace free trial and see if you get any unexpected login failures from the internal network and from the Internet.
You might be surprised.
Leave a Reply
Want to join the discussion?Feel free to contribute!