#infosec How to block an ongoing dictionary attack / brute force attack against Windows Servers, #MSexchange and more

How to block an intrusion attack against Windows Servers for free

If your server or data center is targeted by a brute force attack a.k.a dictionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.
However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for brute force prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here, install, register with a valid email address, enter the license key into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 3.6 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simmply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Serevr including the webmail (OWA) , Citrix, Sharepoint,
SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not  constantly monitoring logfles.

On this blog, http://syspeace.wordpress.com, we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo

Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

Syspeace for internal brute force protection on Windows Servers

After installing Syspeace , the tech guys started getting notifications that their Exchange Server was trying to login to another server and it was rejected. There was no reason for this server to do so whatsoever and it had not been noticed earlier so it’s hard to say when it actually started.

After disabling the whitelist for the LAN at the customer site they started getting mail notifications that every workstation on their LAN was actually trying to login to various servers using various usernames and password, hence a brute force attack/dictionary attack from the inside.

Most likely a trojan has been planted somewhere and it has infected the rest.

This is a fairly simple example of how Syspeace can actually reveal a security breach a customer wasn’t even aware of had occured.

It is totally up to any customer to use whitelists for the LAN but as a precaution, I personnally wouldn’t recommend it since it acutally gives you a great heads up that something has happened if a computer or multiple computers suddenly starts to try and login to servers they’re not supposed to.

As a system administrator, you get the chance to get attack automatically blocked, logged, traced and reported and you can have a closer at the computer responsible for the attack or have a word the user to see what’s going on.

You can even create extensive reports on all activity originating from that user or computer using the Access Reports section in Syspeace to get a more clear view on how long it’s been trying and so on.

Since Syspeace automatically protects failed logins using Winlogon authentication, your Windows servers are also protected from computers/users trying to use the “net use” or “map network drive” with invalid logon credentials trying to acces shares they’re not supposed to.

If you don’t have processes in place for scanning logs, saving them and monitoring every login activity, it will become grusome task to even know if there’s something going on at all. You simply won’t have the tools to do so.

Have your own servers run the fully functional Syspeace free trial and see if you get any unexpected login failures from the internal network and from Internet.
You might be surprised.

By Juha Jurvanen

Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work . Repost

This is actually a repost on a fairly well read blogpost but I thought I’d share it with you again.

Intro on brute force / dictionary attack prevention tactics and some common misconceptions

Protection from brute force attempts on Windows servers has always been a nightmare and would continue to be so if not .. Yes, I admit, I will come up with a solution further down.

Most system administrators with selfrespect start off with the best of intentions to actually keep track of brute force / dictianary attack attempts but eventually give up because of the sheer number of attacks that occur daily.

Others, unfortunately, believe that a firewall takes care of the problem which it doesn’t or that an account lockout policy is the answer. Neither of them is and I’ll show you why.

The firewall approach:

Think about it. What does a firewall actually do ? The role of the firewall is to block traffic on unwanted ports and to drop portscans and variuos SYN FLOOD attacks. That’s about it. A firewall is basically a harsch doorman deciding who gets in to speak with the guys on the inside and who doesn’t.

If an attacker actually connects on a valid port , the traffic is redirected/port forwarded to the server in question let’s say the webmail interface of a Microsoft Exchange Server or a Microsoft Windows Terminal Server or a Citrix Server. Once the attacker is there, the actual logon request is handled by the server,not the firewall. The logon process is managed by the Windows Authentication process (which in turn may be validated against Active Directoy or a local user database using SAM). The firewall is already out of the picture really since it has no connection with the Windws server apart from  the TCP connection and keeping it alive really. They don’t communicate the result of the logon process between eachother.

Also, a changing of from standard ports won’t help you much, will it ? The logon process is still managed by the Windows Server although you will get rid a of a lot of portscans and “lazy background, script kiddie attempts” if you’re using non standard ports. Basically you get rid of the script kiddies but the problem isn’t solved, the traffic is still redirected/port forwarded to the server that does the actual authentication.

Using for instance a Remote Desktop Gateway won’t handle the problem either. Using a RDP Gateway minimizes the attack surface, yes, but it is still reachable and the user logons still have to be validated. The problem is with any server that services logon request basically, regardless of on what ports and how they get there. That is Microsoft Windows server, Exchange Server, Citrix, Sharepoint, CRM , Terminal server and so on . The list can probably go on and on.

There’s also the risk of stuff stops working each time you apply some updates or patches to your Windows Servers if you start changing standard ports or standard configurations. It’s happened to me a few times and it’s not that amusing to be honest when you’ve got 1000 users not being able to log in beacuse you’ve just done your job and patched the servers to keep peolpe datas safe. Trust me, that’s not a good Monday morning.

The VPN approach:

Yes. That’s a safer approach but also here we do have some issues. First of all, it’s not that easy to keep track of VPN certificates, to set all of it up and manage all the licensing costs (that can be quite significant really ) and (sometimes costly) hardware you need to have in place. Historically there has also always been performance issues with most VPN solutions since all traffic is directed through one or a few VPN servers / connectors. Some of them also charge you for the bandwidth you want it to be able to use for VPN connections or charge you for the number of simultaneous VPN connections, A VPN solution can be quite costly as an initial investment and taking into account all of the administration involved in it.

You also probably won’t be demanding your users to have a VPN connection to the Microsoft Exchange OWA etiher snce the whole idea of the OWA i that it’s supposed to easy to reach from anywhere. I know there are some companies actually requiring VPN even for OWA and that’s just fine I guess but the more we’re moving our data and applications to cloud services, this hassle with different VPNs and stuff will eventually be fading into the dark corners of the Internet (that’s my personal belief anyways). The thing is that your users don’t want to be tied down by complicated VPN clients and stuff, users nowdays are used “stuff just working” and it has to be easy and intuititive for them. The days of the “System Administrators from Hell” implementing all kinds of complex solutions to keep stuff secure and forcing users to having very specific and complex ways of accessing data are over. They were good times, good times but they’re over. Deal with it.

The IDS/IPS approach:

Using a centralized IDS/IPS This is a more efficient method, yes. The downside is, most of these systems require you to change your infrastructure and get specific, costly hardware, licenses and costly consultants to get it up and running. And someone needs to monitor it, take care of it and so on. There are parllells to the VPN approach here although an IDS/IPS does a while lot more such as examines all the network traffic, examines it for malicious code and so on. I’m not sure actually if an IDS/IPS can communicate with the Windows Server Authentication Process so I’ll actually won’t say anything about that. I would presume they can, otherwise I fail to see the point (from the brute force logon prespective, that is) and you’d still need to handle the logon attempt on the Windows server.

The Account Lockout Policy approach:

The acccount lockout method is also flawed due to the fact that an attacker can quite easily cause a DOS (Denial of Service) simply by hammering your server with invalid logon request but with valid usernames, thus rendering the accounts unusable for the valid users. Basically, all he (or she)  needs to know is the user logon name and in many system , it’s not tha hard to guess (try the companynameusername or the mail address for the user since it’s quite often also a valid logon name if you have a look at the properties of the user in Active Directory Users and Group snap-in)

The Cloud Computing approach

We are shifting  more and more of our data and applications into various Cloud Services (like it or not but, it’s a fact and you know it). This way we do get rid of some of these problems on our own servers and hopefully, your Cloud Service provider actually has a plan for these scenarios and has the necessary surveillance software and systems in place. If you’re using a Cloud Computing platform based on Windows Servers, you should actually ask your provider how they handle brute force attempts on their servers. Most likely they will give you one or more of the scenarios described above and, as I’ve showed you, they are not adequate to handle the task at hand. They’re just not up for the job. Feel free to ask your own provider and see what answer you get. My guess is .. mumbo jumbo but basically , they don’t have anything in place really, more or less.
You could even try logging into you own account with your own username but the wrong password loads of times and see what happens. Will it be locked out? Will your machine be locked out? How does your Cloud Srvice Provider respond and are you informed in any way that an intrsuion attempt has been made using your account ? How many times can anypne try to access your account without you being notifed of it? And from where are they trying to get to your data and why?
Personally I know of only one Cloud Service Provider that has also taken these questions into account and that’s Red Cloud IT in Sweden.

Is there a solution then?

Yeah. I told you so in the beginning and even if you choose not to use what I suggest, I highly recommend that you start thinking about these things properly because these problems will accelerate in the future. Just take a look at all the hacktivism with DDOS attacks going on out there. It’s just a start because the Internet is still young.

First of all, and this is extremely important you realize, , it doesn’t matter if you hosting your own servers or if you’re using VPS (Virtual Private Servers) hosted somewhere else or even if you’re a Cloud Service Provider. The basic principal stands: if you are providing any kind of service to users using the Windows Authentication mechanism you should be reading this and hopefully my point has come across.

If you’re having brute force attacks on your Windows systems today and I’m pretty sure you do (just turn on logon auditing and I’m sure you’ll see you have more than you actually thought you did, *for some odd reason this is NOT turned on by defaut in Windows*) there’s a few things you should be doing (that I’m guessing you’re not beacuse you’re not a cyborg and you need to sleep, meet your friends and family and actually be doing something productive during your work hours). On the other hand, if you are doing all of these things I’m guessing you have quite a large IT staff with a lot of time on their hands. Good for you. Call me and I’ll apply for a position.

First of all. Block the attack.

You need the attack to stop! Instantly. This is of course your first priority That’s basically blocking it in the firewall, either in the local Windows firewall or the external one, it’s actually up to you which way is the easiest one. The reason is that you don’t want to be wasting CPU and RAM and bandwidth on these people (or botnets)  and of course, you don’t want them to actually succeed in logging on (should you have a lousy password policy in place ) or even them disguising a real intrusion attempt behind a DDOS attack to fill your logfiles and hide themselves in there. (Yes, it’s not an uncommon method). There’s also quite a few reports of DDOS attacks being used to disguise the actual reason for it which is to find out what security measures are in places for future reference. The “know your enemy principal”.

Second. Trace the attack. From where did it come?

Second , you need to find out from where the attack originated and what username was used. This is because you want to know if it is a competitor trying to hack you and access your corporate data or if you find yourself in the interesting position of your own username trying to login from sunny Brazil and you’re just not in Brazil (although you’d love to be) . You’re in Chicago looking at winter. Somethng’s up.
You also want to see if it’s a former employee trying to log on and so on .. This is stuff you need to know and keep track of since there may be legal issues involved further down the line.

Points one and two , you want to be handled in real time. There’s no use for you to find out two days after the attack that something actually happened. You want it stopped, reported and handled as it happens.

The legal stuff.

Third, you need to decide what to do with your information. Should it be handed over to the legal departement, your boss, the police or is it just “nothing” and can be discarded ?

So. “What would you suggest as a solution then” ? 

The easiest and most cost efficient way to handle brute force attacks on Windows server is to have an automated sysem to block, track and report each attack and that’s where Syspeace comes into play.

Syspeace is a locally installed Windows service, thus using a minimum of system resources,  that monitors the server for unwanted logon attempts and blocks the intruders in real time in the local firewall based on the rules you’ve set up. For instance “if this IP address has failed logging on 20 times during the last 30 minutes then block it completely for 5 hours and send me an email about it”

This means that you can for instance set up a blocking rule that is you “Account lockout policy – 1” in your rules and that way simply blocking the bruteforce attack but not locking your users accounts and causing them unecesseray disruption.

Since Syspeace monitors the Windows Authentication logon oprocess, it doesn’t matter what firewall your using or what ports you’re using, the monitoring and blocking is done where the actual login attempts is made and therefore caught and handled automatically.

Once the intruders IP address is blocked, it’s blocked on ALL ports from that server which means that if you have other services also running on it (like FTP or well.. anyhting really) those ports and services are also protected instantly from the attacker. Not giving them the chance to find other ways of gaining access to that server through exploits.

A few other features in Syspeace

A few other nice features with Syspeace is for instance the GBL (Global BlackLlist) where every Syspeace installation around the world , reports each attack to a databse where they are examined and weighed and , if deemed “meneace to Internet and all of mankind” the database is then propagated to all other Syspeace installations. In this way, you’re preemptively protected when the bad guys come knocking on your door. So far , there has been over 200 000 brute force attcks blocked by Syspeace worldwide (and that’s just since mid July 2012) and some of them have made it to the GBL. Lucky them.
Of course there are white lists and stuff, giving you the ability to have your customers or internal users keep hammering you servers all day long if they (and you) want  without being blocked out.

There’s also the Attack Cintrol section that gives you the ability to sort out information about successful and failed logons, findind the ones that are trying to stay under the radar, viewing reports.
You get daily and weekly reports email to you and each attack is also mailed to you with detailed but easy to understand information from where the attack originated including country, what username was used and how many times they actually tried to hack or overload you. This gives you the ability to quickly see of it’s something you should be taking care of or just carry on with your working day and leave it be with a smile on your face.

The GUI is easy to use (and there’s an even easier coming up in the next version) so there’s no need to hire costly consultants to be up & running or start using various scripts and change parameters in them to suite you needs and hope for the best and hope they don’t hang your servers.

Syspeace also protects the Microsoft Exchange Server Connectors from being attacked.

The licensing is not steep, I’d even dare say cheap and it’s extremely flexible.

As an example. If you buy yourself a new server today (evereybody loves new toys ) , you install Syspeace on it and then you get yourself a second server in 4 months. You can easily align the licensing renewal dates for both servers , not having to keep track of licensing renewals scattered over the entire year. If you’re up for , you could even byt yourslef just a one months license. Or a week. I’s up to you and what needs you have.

Download a free trial and see for yourself.
We know it works and so does all of the people around the world who are already running it.

Syspeace – let the silence do the talking

Syspeace - intrusion prevention for Windows servers

Syspeace website

Blog post written by Juha Jurvanen
Senior IT consultant in backup, IT security, server operations and cloud

Syspeace has now blocked over 1 million brute force attacks worldwide!

As the headline states and as we predicted last week, Syspeace has now blocked  +1 million brute force / dictionary attacks on Windows Servers worldwide!

That’s since July 15th 2012 when we went public.

Download a free, fully functional trial at the  Syspeace download page to help protect your Windows Servers, Terminal Servers, Exchange Servers, Citrix Servers, Sharepoint Servers and more.

Syspeace is a vital component in every Windows server’s baseline security.

Closing in on 1 Million blocked brute force and dictionary attacks on Windows Servers world wide

Just a quick post about the numbers so far really.

Last night , Syspeace had blocked 962 553 brute force and dictionary attacks on Windows 2003 / 2008 / SBS server / RDS servers / Citrix WorldWide.

As a prediction , we will reach over 1 Million later on this week or early next week. We think that’s pretty cool. Considering Syspeace has been publically available only since July 15th 2012..

New version coming up

Other news regarding Syspeace is that we’re beta testing the new release now that will support Windows Server 2012, SQL Server and also have a completely new reporting, sorting and exporting feature called Access Reports.

The new Access Reports feature lets you create reports on failed and succesful logins on your Windows Servers and export them to .CSV reports. The information is saved in the local database so even if the Windows Security Log is cleared, the information is still available for use in for instance forensics and other tasks.

For a free trial download of the brute force and dictionaray attack preventon software Syspeace, please refer to the Syspeace Download page.

How to setup syspeace for rdp – intrusion prevention for Windows servers

This is actually just a post based on some of the search terms that have led to people finding this blog.

So,

how to setup syspeace for rdp

..
Actually , it might take you longer to read this blogentry than actualy set it up.

1. Go to the Syspeace website and download the software at /downloads.aspx

2. Read the requiremnets in the manual:

System requirements
Operating system: Windows 7, Windows Server 2003, Windows Server 2008/2008 R2 (32 or 64 bit), Windows Small Business Server SBS 2008 and so on . (We are currently working on the Windows Server 2012 validation and we have tested it successfully but in certain scenarios the source IP address isn’t displayed in the evenlog. This is a Windows Server issue)
.Net 4 (if not installed, it wil be installed for you )
1GB free disk, minimum 500M RAM.
Auditing
Auditing for failed login and successful log in switched on in local security policy or in the group policy for the domain. This will enable events in the event-log that Syspeace listens for.
Firewall
The built-in firewall in Windows must be up and running.

3. Install Syspeace which is quite straight forward

4. Start the GUI and type in a valid mailaddress to get your 30 day free trial license key emailed to you. This emai address is also going to be the account emai you need tp use when purchasing the license.

4. Paste the license number and the GUI will start.

5. By default, the Syspace service is NOT started.

6. Cllick teh Settings button and review the default rules (called the “Catcha all” rule” and alse set up messaging for blocked attacks (whom to alert, whom to emai license inforamtkion and so on )

7. Close the Settings section. Click the “START” butto and you’re done.

Now, your Windows server is instantly protected from brute force and dictionary attacks against youe Exchange Webmail OWA, Terminal Servers on RDP (terminal services, remote desktop services, remote app sessions) and the webinterface called RDWEB, your Sharepoint login , your Citrix server, winlogon services and even more.

There’s really not that much more to it.
Since the intrusion prevention for Syspeace monitor the Windows Server Evnetlog , it doens’t matter if you have set up RDP on other ports or if you are using a proxy. Sysoeace is a HIDS (Host Instrusion Protection System) thus eliminating the need for separate hardware, expensive consulans and redesigning you infrastructure.

Just sit back and start recieving resports and emails when an attack is blocked, tracked and reported.

Securing Cloud services from dictionary attacks – hack yourself and check your Cloud providers / outsourcing providers security and response

The more we move our data to various Cloud services and to outsourcing companies, we also need to take the consequences into account what that means from a security perspective.

Prior to a move to Cloud services, a company could keep track of how communications are secured, they could set their own account lockout policies and monitor all logfiles in order to keep security at the desired level.

With the popularity of Cloud services becoming more widespread, a lot of the possibilities for this kind of control and tightened security has disappeared. As a Cloud user you rarely get any indication that someone is for instance trying to use your username and password to gain access to your, for instance , your Microsoft Exchange Webmail , also called OWA.

A hacker can probably try to guess your password with a brute force attack or dictionary attack for quite some time and nothing really happens. The protective measures at the Cloud service provider are most likely unknown to you and you will not get a notification of that something might be going on.

An easy way for you to verify this is actually to try hack yourself. By this I mean, try to login to you account but with an invalid password. See what happens. Is your account locked out? Does the OWA disappear for you, indicating your IP address has been locked down by some security countermeasure?
Are you as a customer and user notified and alerted in any way of the attempt? This is of course also a simple test you can do against you own companys webmail if you want to, although the server team won’t like it when you point out the problem.

Keep in mind that it would take quite some time to do each logon manually but hackers don’t do this manually. They use special software for this that is freely available for download and they can render thousands and thousands logon attempts in  few minutes.

From the Cloud Service provider point of view, this has been a big problem for years. Brute force prevention and dictionary attack prevention on especially the Windows server platform has always come with lots of manual labor and high costs so it’s usually not even dealt with.

From the user point of view, there’s not that much you can do about it reslly more than verify what happens if you try and then ask your service provider for a solution if you’re not happy with the result after hacking yourself.

If you’re running Virtual Private Servers (VPS) with Windows you should consider this also but as a Cloud Service provider should.

As an important piece of the puzzle of the security systems that need to be in place, and as a natural part of the server baseline security configuration, have a look at Syspeace , an easy to use, easy to deploy and configure brute force prevention software that automatically blocks the intruders IP address,tracks it and reports it to the system administrator. Without causing the legitimate users account to be locked out and with no manual intervention at all.

Syspeace works by monitoring the servers eventlogs and is triggered by unsuccesful login attempts as alerted by a process called Windows Authentication.

With this method, there is out of the box protection for Citrix, Microsoft Terminal Server, Sharepoint, Exchange Server and more. There is also a Global Blacklist, offering preemptive protection from well known hackers around the world.

If you’re a Cloud Service provider or if you running or hosting any Windows servers you want protected, download a free trial from Syspeace trial download and see for yourself how easily you can get rid of a big problem and, at a low cost.


Posted with WordPress for Android.
Juha Jurvanen
Senior IT consultant in backup, server operations, security and cloud. Syspeace reseller in Sweden.

JufCorp

Preventing and blocking brute force and dictionary attacks in a Windows Server environment with Syspeace

Syspeace is an automated brute force prevention / dictionary attack software that protects Microsoft Windows Servers by monitoring the Windows Authentication mechanisms for unsuccessful logins.

 

This means that you get immediate protection for Microsoft Terminal Server, Citrix, Exchange OWA Webmail , SharePoint, CRM, Terminal Server RDWeb and more, for instance there is also built in protection for Exchange connectors.

Each attack is automatically blocked, tracked and reported and as a system administrator you set up your own rules on when to block and for how long.

Syspeace is easy to install and you’re up & running and protected within minutes of the download. No need for changing your infrastructure, buy costly new appliances or hire specialized consultants.

The Global Blacklist that is shared among all Syspeace installation around the world gives you preemptive protectionfrom well known hackers and ddos attackers, blocking them even before an attack can be initiated.

Syspeace also contain reporting capabilities, giving you the ability to check for failed and successful logins for your servers and separated mail notifcations based on events.

The Syspeace licensing model is very flexible and and targeted to be easily affordable for any company, whether you’re n the SMB segment, a large enterprise or even a large Cloud Service Provider or an outsourcing company.

One of the goals for Syspeace is to become a natural part of every servers installed security mechanisms as part of the baseline security and an important piece of that security work is

Windows 2003 version of Syspeace is underway to also provide brute force and dictiionary atacks prevention for older servers

Try for yourself and see how easy it is

/

Other IT Security aspects

If you’re interested in various aspects of server security questions you might want to check out  http://syspeace.wordpress.com and this blog where there’s quite a few articles on why and how Syspeace can help you with your everyday battle of brute force and dictionary attacks but also a few other guidelines for IT security.

Protecting your customers from brute force attacks in Cloud services or in an outsourcing company

 About brute force protection and Cloud Security and VPS (Virtual Private Servers) and outsourcing or hosted environments

Thoughts on cloud security by Juha Jurvanen @ JufCorp

If you are a Cloud Service provider or an outsourcing company and giving your customers access to various Windows services such as file access, Exchange, Exchange OWA,  Sharepoint, Citrix, RemoteApp and Terminal Server services or even VPS (Virtual Private Servers) , there are things you may want to consider.

Cloud security is often debated and it should be. There are pros and cons to each technical solution. Your customers rely on you to have your services reachable, virtually 24/7 and initially, they’ll be happy when that works.

Nowadays though , Cloud Computing has grown to be more accepted and with it a few questions are coming to life.

Your customers will eventually start asking you how you actually deal with various brute force attacks and dictionary attacks to protect their data. You will also , sooner or later, be faced with questions of reporting of these attacks and to be able to gather various reports of when and from where a specific user was logged in,

Remember that you customers have moved from an inhouse hosted environment where they had the ability to gather this intel themselves and they will be expecting to be able to get it from you. They also had the ability to use Syspeace to protect them but once they’ve shifted to your services, they have absolutely no idea of what security mechanisms you have in place for them and these questions will start to come around.

Historically, it’s been very difficult to handle these situations (feel free to read earlier post on this blog to see what I’m getting at for instance  http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/ and http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ) so many sysadmins have just more or less given up but when we’re moving to Cloud Services and Cloud Computing, people will expect that also these matters should be sorted. The issue is “why should we move our data to something we can’t even control or know how the security is set up or verify it easily ? ”

Sooner or later, the end users and customers will start testing how your response really is and verify if there are any mechanisms in place (sometimes out of curiosity and sometimes due to internal processes and audits).

Is their attacked account locked out ? For how long ? Is the attacking IP locked out ? Can you as a Cloud Service provider contact the user and let them know that someone tried to user their account from an IP address in China , although you know the customer has no business in China? Do you alert you customers about it ?

No, probably not and it’s easy to understand why.

Because all of this has required  a lot manual work so most service providers and outsourcing companies just don’t want to deal with the problem and tend to not talk about the actual problem, being basically, they have no idea on important stuff such as from where a login attempt was made, what username was used and how was it handled? Was it successful or a failed attempt and how many times did the attacker actually try ?

If you are a Cloud Computing Service provider I highly suggest you have a look at Syspeace to enable you to add this service for your customers and protect access to your Cloud services preemptively and actually have these things handled automatically, without increasing your workload but still tightening your security and to a very low cost.

If you’re a VPS provider, consider for instance having the Syspeace software pre installed in your images and let your customers know it’s there so they themselves can decide whether to use it or not. It’s not an extra cost for you but it does show your customers that you’re actually thinking about their security and that you’re thinking ahead.

So far, Syspeace has actually saved 4.3 M US$ in only a few months in costs for the manual workload associated with brute force attacks and dictionary attacks.

I believe that the service providers that start thinking about these things and take them seriously will have an advantage to those who don’t and quite a few will take having a system such as Syspeace in place for granted, as you would with antivirus.

Have a look at the Syspeace website and see for yourself how quickly and easily you can implement a brute force prevention system without the usual costs of appliances or costly consultants.