Posts

Troubleshooting Syspeace

An interesting support case came to our attention recently.

A customer claimed that Syspeace wouldn’t block according to the rules.

The bruteforce attacks would continue , even after they should have been blocked.

We checked the ususal culprits (verify that the .Net is fully patched, that the customer is running the latest Syspeace version, verify that logging is enabled and that the firewall is turned on )

The rules were added as expected in the firewall but they didn’t have any effect.

After a lot of troubleshooting the root-cause was found.

The customers server did indeed have the firewall enabled but only in one of the firewall profiles (public, private, domain) and unfortuantely, the network used was not the one the firewall was enabled for, hence, nothing was blocked as expected. The rules were added but did not take effect in the expected amount of time

So, as a general troubleshooting tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.

The usual troubleshooting tips we give are described in the manual in the troubleshooting section

1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.

2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).

3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)

4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn’t find any, there is not much that Syspeace can do. (Update: starting with Syspeace 2.7, these attempts can be detected too.)

5. In any applicable firewall or antivirus software, allow Syspeace access to https://s.syspeace.com/ (port 443).

6. Verify any proxy settings, if applicable.

7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.

8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester “anypassword”

9. If you want to submit logs to us, start Syspeace, go to Management → System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.

10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual

11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article

12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. Please refer to this post on the matter
by Juha Jurvanen

Using Syspeace for a targeted bruteforce attack against a specific username

Today we had an interesting support question actually.

Someone is trying to bruteforce a customer using the same account name but from a lot of different IP addresses and they only try once or twice from each IP address thus not triggering Syspeace to block the IP address based on the default rule.

The suggestion that we eventually came up with is to create a rule based on the user name and set the allowed attempts to only 1 failed attempt. therefore making Syspeace block the IP address immediately.

In this scenario though, one must also keep in mind though that legitimate user will get blocked out instantly after one failed try so there might be a good reason to white list the IP addresses that this user usually logs in from.

Furthermore, the reason for this specific and targeted user attack should be inestigated more closely and also be handed over to the proper authorities for investigation.

Closing in on 1 Million blocked brute force and dictionary attacks on Windows Servers world wide

Just a quick post about the numbers so far really.

Last night , Syspeace had blocked 962 553 brute force and dictionary attacks on Windows 2003 / 2008 / SBS server / RDS servers / Citrix WorldWide.

As a prediction , we will reach over 1 Million later on this week or early next week. We think that’s pretty cool. Considering Syspeace has been publically available only since July 15th 2012..

New version coming up

Other news regarding Syspeace is that we’re beta testing the new release now that will support Windows Server 2012, SQL Server and also have a completely new reporting, sorting and exporting feature called Access Reports.

The new Access Reports feature lets you create reports on failed and succesful logins on your Windows Servers and export them to .CSV reports. The information is saved in the local database so even if the Windows Security Log is cleared, the information is still available for use in for instance forensics and other tasks.

For a free trial download of the brute force and dictionaray attack preventon software Syspeace, please refer to the Syspeace Download page.

Preview of the new Acces Reports feature in the upcoming Syspeace

This is a sneak preview of a new feature in the upcoming Syspeace to make sysadmins also be able to search, sort, create and export various reports to .CSV files on login activity on their Windows servers.

There will be even more things in the reporting and sorting functionality when we release it

Syspeace protects Windows servers, Exchange Servers, Remote Desktop Services, Citrix Servers, Sharepoint servers and more from brute force and dictionary attacks.
Syspeace works on Windows Server 2003, 2008 , 2088 R2 and SBS versions and an officially supported Windows Server 2012 and SQl Server support is underway,

For a free , fully functional trial please see Syspeace download

Am I under attack for a brute force or dictionary attack on my Windows server?

Brute force attack or dictionary attack on Windows servers

Dictionary attack and Brute force attack are fairly easy to find out if your Windows servers are being hit with some sort of an attack.

Simply enable auditing of Logon Events in your Security Policy and look at the eventviewer and see what pops up. You will then know if your server are hit by brute force or dictionary.

Dictionary or Brute force in the eventviewer

Open your eventviewer and search for logon events named 4625 n Windows 7, Vista, 2008 , 2008 R2, 2012, 2012 R2 or 529 on Windows server 2003.

Open up these events and look at the username used, the network source address and see if they are legitimate login attempts or not.
You could use for instance WHOIS to find out where the attack came from or traceroute or nslookup.

How do you single out dictionary or Brute force attack?

If you’re under attack you’ll be seeing hundreds or thousands of failed logon attempts, sometimes from a single IP address or in a more serious scenario, from hundreds or even thousands IP addresses at once.

In some cases, such an attack is also just a way to hide the real purpose behind the attack which is to find out what security measures you have in place and to search for any vulnerabilities you may have in place that can be use to hack you later on. The attacker tries to “hide in the noise” so to speak.

If it’s a single IP address it’s fairly easy just to block the attacker in your external firewall completely or in the local Windows firewall (assuming you’re awake and have seen the attack ) but, if it’s hundreds or thousands at once it becomes more or less impossible if you can’t automate it.

This is where Syspeace comes into play.

Syspeace – The innovative tool for Brute force and Dictionary attacks

Syspeace automatically monitors, traces, blocks and reports failed logon events if they reach the criteria you’ve set up, for example “If an attacker fails to login 10 times during 30 minutes, I want the attackers IP address to be blocked completely on all ports for 2 hours” or even “If an IP address fails to login more than 10 times during 7 days, I want the attacker to be blocked ..”

If you’re under attack, the fastest and easiest way is to download the free trial of Syspeace, install it and simply start the Syspeace service and the attack will be blocked automatically within minutes.

At the moment, Syspeace supports Windows 2003, 2008, 2008 R2, 2012, 2012 R2 and all of the SBS versions, SQL Server, Exchange Server, Citrix and more.
Out of the box.
And there’s a fully functional, free 30 day trial on the website. We help you check for brute force attack and dictionary attack the easy way.

Securing Cloud services from dictionary attacks – hack yourself and check your Cloud providers / outsourcing providers security and response

The more we move our data to various Cloud services and to outsourcing companies, we also need to take the consequences into account what that means from a security perspective.

Prior to a move to Cloud services, a company could keep track of how communications are secured, they could set their own account lockout policies and monitor all logfiles in order to keep security at the desired level.

With the popularity of Cloud services becoming more widespread, a lot of the possibilities for this kind of control and tightened security has disappeared. As a Cloud user you rarely get any indication that someone is for instance trying to use your username and password to gain access to your, for instance , your Microsoft Exchange Webmail , also called OWA.

A hacker can probably try to guess your password with a brute force attack or dictionary attack for quite some time and nothing really happens. The protective measures at the Cloud service provider are most likely unknown to you and you will not get a notification of that something might be going on.

An easy way for you to verify this is actually to try hack yourself. By this I mean, try to login to you account but with an invalid password. See what happens. Is your account locked out? Does the OWA disappear for you, indicating your IP address has been locked down by some security countermeasure?
Are you as a customer and user notified and alerted in any way of the attempt? This is of course also a simple test you can do against you own companys webmail if you want to, although the server team won’t like it when you point out the problem.

Keep in mind that it would take quite some time to do each logon manually but hackers don’t do this manually. They use special software for this that is freely available for download and they can render thousands and thousands logon attempts in  few minutes.

From the Cloud Service provider point of view, this has been a big problem for years. Brute force prevention and dictionary attack prevention on especially the Windows server platform has always come with lots of manual labor and high costs so it’s usually not even dealt with.

From the user point of view, there’s not that much you can do about it reslly more than verify what happens if you try and then ask your service provider for a solution if you’re not happy with the result after hacking yourself.

If you’re running Virtual Private Servers (VPS) with Windows you should consider this also but as a Cloud Service provider should.

As an important piece of the puzzle of the security systems that need to be in place, and as a natural part of the server baseline security configuration, have a look at Syspeace , an easy to use, easy to deploy and configure brute force prevention software that automatically blocks the intruders IP address,tracks it and reports it to the system administrator. Without causing the legitimate users account to be locked out and with no manual intervention at all.

Syspeace works by monitoring the servers eventlogs and is triggered by unsuccesful login attempts as alerted by a process called Windows Authentication.

With this method, there is out of the box protection for Citrix, Microsoft Terminal Server, Sharepoint, Exchange Server and more. There is also a Global Blacklist, offering preemptive protection from well known hackers around the world.

If you’re a Cloud Service provider or if you running or hosting any Windows servers you want protected, download a free trial from Syspeace trial download and see for yourself how easily you can get rid of a big problem and, at a low cost.


Posted with WordPress for Android.
Juha Jurvanen
Senior IT consultant in backup, server operations, security and cloud. Syspeace reseller in Sweden.

JufCorp

Preventing and blocking brute force and dictionary attacks in a Windows Server environment with Syspeace

Syspeace is an automated brute force prevention / dictionary attack software that protects Microsoft Windows Servers by monitoring the Windows Authentication mechanisms for unsuccessful logins.

 

This means that you get immediate protection for Microsoft Terminal Server, Citrix, Exchange OWA Webmail , SharePoint, CRM, Terminal Server RDWeb and more, for instance there is also built in protection for Exchange connectors.

Each attack is automatically blocked, tracked and reported and as a system administrator you set up your own rules on when to block and for how long.

Syspeace is easy to install and you’re up & running and protected within minutes of the download. No need for changing your infrastructure, buy costly new appliances or hire specialized consultants.

The Global Blacklist that is shared among all Syspeace installation around the world gives you preemptive protectionfrom well known hackers and ddos attackers, blocking them even before an attack can be initiated.

Syspeace also contain reporting capabilities, giving you the ability to check for failed and successful logins for your servers and separated mail notifcations based on events.

The Syspeace licensing model is very flexible and and targeted to be easily affordable for any company, whether you’re n the SMB segment, a large enterprise or even a large Cloud Service Provider or an outsourcing company.

One of the goals for Syspeace is to become a natural part of every servers installed security mechanisms as part of the baseline security and an important piece of that security work is

Windows 2003 version of Syspeace is underway to also provide brute force and dictiionary atacks prevention for older servers

Try for yourself and see how easy it is

/

Other IT Security aspects

If you’re interested in various aspects of server security questions you might want to check out  http://syspeace.wordpress.com and this blog where there’s quite a few articles on why and how Syspeace can help you with your everyday battle of brute force and dictionary attacks but also a few other guidelines for IT security.

Protecting your customers from brute force attacks in Cloud services or in an outsourcing company

 About brute force protection and Cloud Security and VPS (Virtual Private Servers) and outsourcing or hosted environments

Thoughts on cloud security by Juha Jurvanen @ JufCorp

If you are a Cloud Service provider or an outsourcing company and giving your customers access to various Windows services such as file access, Exchange, Exchange OWA,  Sharepoint, Citrix, RemoteApp and Terminal Server services or even VPS (Virtual Private Servers) , there are things you may want to consider.

Cloud security is often debated and it should be. There are pros and cons to each technical solution. Your customers rely on you to have your services reachable, virtually 24/7 and initially, they’ll be happy when that works.

Nowadays though , Cloud Computing has grown to be more accepted and with it a few questions are coming to life.

Your customers will eventually start asking you how you actually deal with various brute force attacks and dictionary attacks to protect their data. You will also , sooner or later, be faced with questions of reporting of these attacks and to be able to gather various reports of when and from where a specific user was logged in,

Remember that you customers have moved from an inhouse hosted environment where they had the ability to gather this intel themselves and they will be expecting to be able to get it from you. They also had the ability to use Syspeace to protect them but once they’ve shifted to your services, they have absolutely no idea of what security mechanisms you have in place for them and these questions will start to come around.

Historically, it’s been very difficult to handle these situations (feel free to read earlier post on this blog to see what I’m getting at for instance  http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/ and http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ) so many sysadmins have just more or less given up but when we’re moving to Cloud Services and Cloud Computing, people will expect that also these matters should be sorted. The issue is “why should we move our data to something we can’t even control or know how the security is set up or verify it easily ? ”

Sooner or later, the end users and customers will start testing how your response really is and verify if there are any mechanisms in place (sometimes out of curiosity and sometimes due to internal processes and audits).

Is their attacked account locked out ? For how long ? Is the attacking IP locked out ? Can you as a Cloud Service provider contact the user and let them know that someone tried to user their account from an IP address in China , although you know the customer has no business in China? Do you alert you customers about it ?

No, probably not and it’s easy to understand why.

Because all of this has required  a lot manual work so most service providers and outsourcing companies just don’t want to deal with the problem and tend to not talk about the actual problem, being basically, they have no idea on important stuff such as from where a login attempt was made, what username was used and how was it handled? Was it successful or a failed attempt and how many times did the attacker actually try ?

If you are a Cloud Computing Service provider I highly suggest you have a look at Syspeace to enable you to add this service for your customers and protect access to your Cloud services preemptively and actually have these things handled automatically, without increasing your workload but still tightening your security and to a very low cost.

If you’re a VPS provider, consider for instance having the Syspeace software pre installed in your images and let your customers know it’s there so they themselves can decide whether to use it or not. It’s not an extra cost for you but it does show your customers that you’re actually thinking about their security and that you’re thinking ahead.

So far, Syspeace has actually saved 4.3 M US$ in only a few months in costs for the manual workload associated with brute force attacks and dictionary attacks.

I believe that the service providers that start thinking about these things and take them seriously will have an advantage to those who don’t and quite a few will take having a system such as Syspeace in place for granted, as you would with antivirus.

Have a look at the Syspeace website and see for yourself how quickly and easily you can implement a brute force prevention system without the usual costs of appliances or costly consultants.

Securing your webmail/OWA on Microsoft Exchange and a few other tips

This is what I’d called a “blogomercial” with a hidden agenda but I hope you’ll find some interesting pointers anyway, the commercial part is at the end really. 🙂

Servicing your users and customer over the Internet 

Anything facing the Internet is a potential target for anyone who wants to gain access or disrupt your data operations. If it’s here, people will try to get in or make it stop working. That’s just the way it is and I’m sure you’re aware of it.

There’s different methods for the attacks actually, they could be a DOS attack, a DDOS attack , SYN Floods to name a few
The motives behind any of these could be a number of things such a hacktivism, former employees or even current, script kiddies just fooling around, organized crime, extortion, theft of company secrets and so on.
Just take your pick really.

You need to make a SWOT analysis and have a Business Continuity Plan (BCP) in place for the different scenarios actually.  It sounds expensive (and, yes,  it can be) but the day you servers are under attack, you’ll be happy you took the time to create one. Trust me. So will your CEO be.

A few of the different techniques for DOS, DDOS , Brute force

The methods of taking down a server vary. As with everything else in the real world, there are different tools to get the same job done, it’s basically a matter of taste and skill and how much time the attackers have on their hands. If you’ve pissed of a state , you’re probably going to have an extremely bad day since they do have extensive resources to keep you “offline” for as long as they want really.

SYN FLOOD

For instance there’s SYN flooding , basically equivalent to old school prank calling,

Send a network packet to the server announcing you want to “speak”  , the server responds but no one is there to continue the “conversation” . If you do this a few hundred thousand times, the server will have quite a few “phone calls” to attend to and therefore can’t actually be bothered with picking up the “phone” for the legitimate “calls” thus making a DOS attack meaning “Denial of Service”, the server can no longer service what it’s meant to service, that being your users or customers.

DOS and DDOS Attacks

A DDOS (Distributed Denial of Service) attack is actually the same thing , the main difference being that its spread out over an extremely large number of computers around the world doing the same thing , making it very difficult to manually block each and every one of them in the firewall manually. These computers are usually part of something called botnets and the users of these computers are rarely aware even of them being a part of it. In this scenario you need to contact a lot of people and get it sorted, for instance your ISP, the server guys and firewall guys and you need to have a look at the BCP. What do we do when this happens and so on. Do we move the servers, up the bandwidth, go out of business,  wait until it passes and so on ?

MITM, Man in the Middle 

Using MITM (Man In The Middle) attacks is also popular method if you haven’t secured your server and your communications with valid SSL certificates. Quite a few actually use self-issued certificates on the websites and on their OWA site and that’s not a good thing. When someone who knows what they’re doing connect to a site that has a self issued certificate the first thing that comes to mind is ..”hmm .. these sysadmins are cheap and lazy and I’m fairly sure they just set this server up using default values.. let’s have a look”  .. )

The problem is that there’s actually no real way for the connecting computer to validate that the site it is connecting to actually is the site it’s hoping for. It might as well be someone claiming to be that site since the certificate used can’t be validated by a third party (the “Trustad Authorities”). This way , phishing attacks (“phising” is when you “phish” for a users valid credentials to use them later at the users real websites)

It’s absolutely no guarantee even if you do use a valid certificate since also the “Trusted Authorities” can be hacked and therefore all of their certificates can be compromised (yes, it’s already happened a few time in the past year, GoDaddy, Verisign and even Microsoft themselves realized they had a bug in how Windows Update actually validates that it is connecting to the Windows Update site and nowhere else.)

Brute force attacks

Another method of rendering you server useless is to use a brute force attack on the usernames (sometimes also known as a “dictionary attack” ) .

If you know the naming convention of the usernames used at the company (quite often as easy as the email addresses of the employees or compaynameusername) you can keep on pounding the server with valid usernames and wrong passwords , hopefully rendering the user accounts to become locked out all the time by triggering the Account Lockout Policy. An easy entry point to this is the .. *tadaa* .. yes, you guessed it, the Microsoft Exchange Webmail/OWA interface (or for instance a Sharepoint login interface) .

It’s always there, it’s fairly easy to find ( mail.companyname.com, webmai.companyname.com , mailserver.companyname.com/owa and so on. Tekkies might be good at tekkie stuff but we do lack imagination when it comes to naming stuff. And we are lazy 🙂

It’s not that difficult to find out what mail server a company is using (easiest way is to use the NSLOOKUP command and search for the MX record, start a telnet session to the server and see what it presents itself as . It’s usually in cleartext what kind of server you “talking” to )

Once you know this , you also know a few other things automatically.

Practical use for the information

By default , there are two valid usernames in a Windows Active Directory (I will stick to 2008+ AD here)

First, it’s the older naming that quite a few still uses. This is the COMPANYNAMEUSERNAME naming convention . These usernames can be difficult to guess , it could be the users first name (COMPANYNAMESAMUEL) or the the first characters of the first name and surname (COMPANYNAMESAMSMIi) and so on. It’s basically more or less a question of how large the company is.

The larger it is, the longer the username but also , much more standardized in naming since otherwise it becomes an administrative nightmare for the system administrators and we are a lazy bunch really. We want to be able to find our user quickly and and easily in order to support them and keep track.*grin*

The easier approach is to attack the user account using their mail addresses. Quite a few sysadmins don’t realize that the mail address is also a valid logon name since they are used to thinking of logins using the the old naming convention.

Since they also want to provide access to webmail , and usually, 97 times out of a 100 (no, I just guessed a number, I have no statistics to support it, it’s just a gut feeling, ok ? ) they don’t require any special VPN software for their user to access the webmail (OWA)  interface since the whole idea is to let users easily connect to their mail, wherever they are.

This means that the OWA interface is reachable for the entire world to try and login into and thus leaving you open for DOS, DDOS, brute force attacks and so on .

SPAM and overload

There’s also so the various methods of overloading our server with SPAM and viruses.

It’s not unusual to use the secondary MX record (which is used for failover in case the usual mail server has some issues)  for your mail domain actually. Most companies that have secondary MX in place have a more or less effective defense on the primary MX but the secondary is often forgotten and is a popular way to over flood a server with various SPAM.

Quite often , they’ve set it up in the way that the primary MX might point to the secured, external provider or the secured, primary mail server interface and the secondary points directly to the mail server, thus not taking the way through the washing and security mechanisms in place but instead be delivered directly to the mail server.

A few countermeasures then .. 

So , what can be done then? Should you close down the OWA / webmail interface? Stop using email? Revert to faxing?

No, of course not

Here’s a few pointers on what I’d suggest on securing and managing your Exchange servers. It’s not all the tricks in the book and I’m sure I’ve missed out on quite a few ones really but it’s a start I guess. Just, remember, there is no such as thing as absolute security.

1. Minimize the attack surface behind a good firewall that can deal with the SYN Floods and port scans and stuff. Be cautious not to open up anything more than what’s absolutely necessary to and from the outside world.

If you’re using an external “mail cleaning service”, don’t allow port 25 from any other IP/IP ranges than them. If your users are to use your Exchange Server for relaying , set up a connector with SSL and SMTP authentication on other port and enable logging on it. Protect it by using Syspeace (yes, here the first commercial part so you’ll see where this is headed 🙂 )

Also, best practices is to use a DMZ (Demilitarized Zone) for any of your serevr facing the Internet although when I start to think of , I’m not sure if that’s necessary. There’s different opinions in the matter really. The idea is to have the attacker not being able to come in further into you network, should they succeed in gaining control over the server on he DMZ. Unfortunately, I’m fairly sure that somewhere on the those servers there are administrator password and stuff that’s useful knowledge for further access into your network.

2. Get valid, proper, shiny and bonafide certificates for your communications. It’s not costly and not complicated to implement. Its mainly the hassle of you having to remember when to renew them, otherwise stuff will stop working when they expire.

3. Use an automatic brute force prevention software ( I highly recommend Syspeace since it also protects, Sharepoint, Citrx, Terminal Server, CRM , RDWEB, basically anything that uses Windows Authentication ) to get rid of the DOS attack where username/password is hammered onto you servers (brute force attacks / dictionary attacks) . (I’ve written an earlier entry on why firewalls, VPNS, account lockout polices and so on aren’t enough here: http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ).

4. Enforce an Account Lockout Policy and enforce complex password. Yes, people will hate you but they will hate you even more if someone actually succeeds in hacking your users data.  Have a look at the link above about Account Lockout Policies though. Do not have local users more than necessary on the Exchange Server itself.

5. Verify all of the websites with the NTFS permissions when it comes to file access, remove the IISTART from the root and remove any default .HTML and .ASPX pages that don’t need to be there.. Don’t let he attackers realize you’re lazy and using default values everywhere. I’ve seen so many servers withe default start page on IIS and that’s just not right.

6. Verify also you’re not open for relaying ( this is usually default nowadays) . Anything that is installed by default by the IIS , take good look at it and decide if it really needs to be there, If not remove it!

7. Redirect all of the 404 and other serious html errors to somewhere else. Google, your worst competitor, your mother-in-law, 127.0.0.1 , anywhere really , just get rid of the traffic from your own site. A lot of 404 errors could mean that someone is trying to find out stuff about your server and if you have any default installed scripts or pages in place that can be used to gain access to your server .

8. Antivirus of course.If you’re not using one today, well.. maybe you shouldn’t be reading this at all but you should be out looking for another job really. I hear there’s good money in flipping burgers.

I’ve used most of them , some are good and some .. well , just aren’t. For the moment I do use Fsecure or Trend a lot. I’m not a big fan of McAfee due the fact they’ve released a few .. not so good updates the recent years that crashed servers around the world. I’m sure they a great product, it’s the product testing and quality verification that needs improvement. Just remember , the same thing goes for antivirus as for 0day attacks, if you antivirus provider hasn’t released any protection against that virus you just got into your system , there’s not that much you can do about it, more than start cleaning your server once you the antivirus updated or even restore your server to a state prior to the virus. An antivirus is not the single point of protection. Common sense is the best antivirus protection in the world.

9. Also, as a complement, use an online service also that filters all of your incoming and outgoing mail from viruses and SPAM and also have you secondary MX records point to it. Usually these services also hold you mail in queue if they cant’ be delivered, buying you time to change the IP addresses or server if you are under attack and not losing any mails.

10. Set up DNS Blacklisting and DNS GREY Listing. It’s not very complicated to do really and you do get rid of a lot of unwanted traffic.

11. Don’t use the “validate reverse DNS” options since a lot of companies haven’t actually set it up correctly so you’ll just risk not getting email from them. The idea is good but it doesn’t work in real life.

12. Enable logging on the connectors and basically enable logging on everything. READ!! the log files. Don”t just turn on logging and let it be. At least once a day , have someone read the (or script queries against the log files ) and see what’s really going on. Search for anything out of the ordinary.

13. Remember to check your mail queues on a regular basis  If you’re starting to have loads of undelivered mail to and from various domains you could actually have a DNS server that’s under attack , not being able to service your Exchange server with required information . On the subject of DNS servers. There’s absolutely no point in having your DNS servers reachable through the firewall thus enabling attackers to flood it with DNS queries and UDP floods. Also, you external DNS server needs to be secured! Have a word with your ISP or whoever is running the external DNS server and see what they’ve got in place.

14. Patch you servers with all of the security patches that are released.  Do it as quickly as possible. There’s is absolutely no defense against 0day attacks.

A 0day is a security bug in the software of the server your running and they vary on how much impact they may have. The name comes from that it is day 0 of it’s public release and the manufacturer, in this case Microsoft, hasn’t released any patch against it leaving you vulnerable no matter what you do. Some of them are even just a nifty way of adding stuff (specific strings ) to the URL or the service the attacker wants to reach and bypassing all of the built in security by “fooling” the server.

15. Disable services that don’t need to be running, DHCP client and stuff. Although they’re not reachable from the Internet , they quite often are reachable from the inside and should you have an attacker on the inside of your network or a virus infected computer , you might be having a bad day.

Minimize attack surfaces, once again  And keep the server resources to actually servicing what they’re supposed to instead of having unnecessary stuff in RAM / CPU .  This is of course valid for any servers, Citrix, terminal servers, domain controllers, Sharepoint and so on.

16. I’m fairly sure you’ve set the ActiveSync functionality for your users since it is an effective and easy way for them to synchronize their iPads, iPhone, Androids and so on . Beware that you also remember to periodically check the various devices associated with the users. If you’ve got a user synchronizing more than 10 devices at the same time from different parts of the world, well.. either he or she is really into gadgets or their user validation information may have leaked (username / password)

17. If someone quits the company, be sure to use the mechanism for clearing the remote device from calendar entries, contacts and email using the built in mechanism in the Exchange server (it’s really easy to do ) . And, of course, if a user reports they’ve lost the devices, same thing, Clear the old device and unpair it from the Exchange server. Unfortunately, users don’t always tell you when they’ve lost stuff . They just buy a new gadget, set it up, synchronize and don’t think twice about the old one and what i actually contains.

18. A bot off topic but it has to do with BCP mentioned earlier. Be sure , please, be supersure even , you have adequate backups , containing multiple generations of data and have at least three or four of theses complete generations stored offisite in some way. Using an online backup service or just moving your tapes/disk manually out of the building. Test your DR Plan (Disaster Recovery plan) at least  once a year to verify that your backups contain all you need if something happens. Be sure o have an updated technical description of how to restore your entire environment.

  • Who?
  • Where?
  • How?
  • What?
  • In which order?

Onto what hardware/virtual machines?

That’s six quite easy questions that sum up what that technical restore plan should contain. It should be able to be read even be outside consultants in case of your entire IT department got killed in a freak barbecue accident the night before.
Keep it simple but detailed.
Include all necessary background info such as server configurations, IP plans, passwords and where the data is stored. a Network map explaining dependencies might also be useful. Don’t use in house mumbo jumbo and nicknames describing various systems and stuff.
Write your DRP from the perspective that you’re gone (in the freak barbecue accident) and the person reading it has never ever heard of your internal system before.

If you don’t have all of these things in place, the day something really happens you will regret you didn’t take the time to do it. Trust me. I’ve worked as a Disaster Recover Technician and Consultant at SunGard Availability Services in Sweden for 8 years . I’ve seen grown men cry and unless it’s not for the unexpected death of their favorite dog or a lost game for their favorite sports team , it’s not a pretty sight.

19. Also a bit off topic but still important. Be sure to have a good monitoring on the hardware aspects of your server and operating system aspects (running services, disk space used and so on ) . Personally I’m fond of Spiceworks för monitoring server health, licenses and inventory but it all boils down to resources and taking the time to set it up. As long as you have some working monitoring and someone who actually deals with the alerts that come up.

20. Sign up for the Microsoft Security Bulletin newsletter (and all similar that has to to do with your environment). Stay up to date and up to speed on what’s going on out there. Being a sysadmin is not a 9-5 job, it’s a lifestyle and the ones who do all of these things will be better protected once they’re attacked.

 

And onto the unmasked commercial part then ..

Since the focus on this article was to write in general about Exchange Server security and the hidden agenda was to mention Syspeace I’ll get back to it .  *smooth, eh ? 🙂 *

Syspeace will help you in some of the scenarios above, particularly in the brute force prevention department. It’s easy to use and you’re instantly protected from the moment you’ve set it up)

It protects you from any brute force hacking attempts using Windows Authentication ( Terminal Server, OWA, RDWEB, Sharepoint, CRM, RDP, netlogon and so on ) and it also contains a Global Blacklist to have you preemptively protected from known attackers around the world.

It will not help you in all of the scenarios described above  but it will absolutely make you life as a sysadmin much easier since it automatically blocks the attack, tracks it down and reports it. For the sysadmin it’s just an email telling him or her that
“This IP address with this DNS name from this COUNTRY tried logging in using this USERNAME and is now blocked according to this rule you’ve set up ”

The cost is equivalent to any antivirus so I’d hardly call it costly.
It’s easy to set up so you won’t be needing to redesign your infrastructure or call on expensive consultants to get it up and running. You’re done in 5 minutes. Tops.

Download a free, fully functional trial of Syspeace for yourself and see what I mean.

 

This “blogomercial” was written by

Syspeace - brute force protection for Windows

Syspeace – bruteforce prevention for Windows servers

Juha Jurvanen, Senior IT consultant in backup. security, server operations and cloud @ JufCorp.com

Drop me an email if you’re interested in getting help in any of these matters. Or if you just want to say hi.

Various brute force prevention methods for Windows servers – pros and cons

Intro on brute force prevention tactics and some misconceptions

Protection from brute force attempts on Windows servers has always been a nightmare and would continue to be so if not .. Yes, I admit, I will come up with a solution further down.

Most system administrators with selfrespect start off with the best of intentions to actually keep track of brute force attempts but eventually give up because of the sheer number of attacks that occur daily.

Others, unfortunately, believe that a firewall takes care of the problem which it doesn’t or that an account lockout policy is the answer. Neither of them is and I’ll show you why.

The firewall approach:

Think about it. What does a firewall actually do ? The role of the firewall is to block traffic on unwanted ports and to drop portscans and variuos SYN FLOOD attacks. That’s about it. A firewall is basically a harsch doorman deciding who gets in to speak with the guys on the inside and who doesn’t.

If an attacker actually connects on a valid port , the traffic is redirected/port forwarded to the server in question let’s say the webmail interface of a Microsoft Exchange Server or a Microsoft Windows Terminal Server or a Citrix Server. Once the attacker is there, the actual logon request is handled by the server,not the firewall. The logon process is managed by the Windows Authentication process (which in turn may be validated against Active Directoy or a local user database using SAM). The firewall is already out of the picture really since it has no connection with the Windws server apart from  the TCP connection and keeping it alive really. They don’t communicate the result of the logon process between eachother.

Also, a changing of from standard ports won’t help you much, will it ? The logon process is still managed by the Windows Server although you will get rid a of a lot of portscans and “lazy background, script kiddie attempts” if you’re using non standard ports. Basically you get rid of the script kiddies but the problem isn’t solved, the traffic is still redirected/port forwarded to the server that does the actual authentication.

Using for instance a Remote Desktop Gateway won’t handle the problem either. Using a RDP Gateway minimizes the attack surface, yes, but it is still reachable and the user logons still have to be validated. The problem is with any server that services logon request basically, regardless of on what ports and how they get there. That is Microsoft Windows server, Exchange Server, Citrix, Sharepoint, CRM , Terminal server and so on . The list can probably go on and on.

There’s also the risk of stuff stops working each time you apply some updates or patches to your Windows Servers if you start changing standard ports or standard configurations. It’s happened to me a few times and it’s not that amusing to be honest when you’ve got 1000 users not being able to log in beacuse you’ve just done your job and patched the servers to keep peolpe datas safe. Trust me, that’s not a good Monday morning.

The VPN approach:

Yes. That’s a safer approach but also here we do have some issues. First of all, it’s not that easy to keep track of VPN certificates, to set all of it up and manage all the licensing costs (that can be quite significant really ) and (sometimes costly) hardware you need to have in place. Historically there has also always been performance issues with most VPN solutions since all traffic is directed through one or a few VPN servers / connectors. Some of them also charge you for the bandwidth you want it to be able to use for VPN connections or charge you for the number of simultaneous VPN connections, A VPN solution can be quite costly as an initial investment and taking into account all of the administration involved in it.

You also probably won’t be demanding your users to have a VPN connection to the Microsoft Exchange OWA etiher snce the whole idea of the OWA i that it’s supposed to easy to reach from anywhere. I know there are some companies actually requiring VPN even for OWA and that’s just fine I guess but the more we’re moving our data and applications to cloud services, this hassle with different VPNs and stuff will eventually be fading into the dark corners of the Internet (that’s my personal belief anyways). The thing is that your users don’t want to be tied down by complicated VPN clients and stuff, users nowdays are used “stuff just working” and it has to be easy and intuititive for them. The days of the “System Administrators from Hell” implementing all kinds of complex solutions to keep stuff secure and forcing users to having very specific and complex ways of accessing data are over. They were good times, good times but they’re over. Deal with it.

The IDS/IPS approach:

Using a centralized IDS/IPS This is a more efficient method, yes. The downside is, most of these systems require you to change your infrastructure and get specific, costly hardware, licenses and costly consultants to get it up and running. And someone needs to monitor it, take care of it and so on. There are parllells to the VPN approach here although an IDS/IPS does a while lot more such as examines all the network traffic, examines it for malicious code and so on. I’m not sure actually if an IDS/IPS can communicate with the Windows Server Authentication Process so I’ll actually won’t say anything about that. I would presume they can, otherwise I fail to see the point (from the brute force logon prespective, that is) and you’d still need to handle the logon attempt on the Windows server.

The Account Lockout Policy approach:

The acccount lockout method is also flawed due to the fact that an attacker can quite easily cause a DOS (Denial of Service) simply by hammering your server with invalid logon request but with valid usernames, thus rendering the accounts unusable for the valid users. Basically, all he (or she)  needs to know is the user logon name and in many system , it’s not tha hard to guess (try the companynameusername or the mail address for the user since it’s quite often also a valid logon name if you have a look at the properties of the user in Active Directory Users and Group snap-in)

The Cloud Computing approach

We are shifting  more and more of our data and applications into various Cloud Services (like it or not but, it’s a fact and you know it). This way we do get rid of some of these problems on our own servers and hopefully, your Cloud Service provider actually has a plan for these scenarios and has the necessary surveillance software and systems in place. If you’re using a Cloud Computing platform based on Windows Servers, you should actually ask your provider how they handle brute force attempts on their servers. Most likely they will give you one or more of the scenarios described above and, as I’ve showed you, they are not adequate to handle the task at hand. They’re just not up for the job. Feel free to ask your own provider and see what answer you get. My guess is .. mumbo jumbo but basically , they don’t have anything in place really, more or less.
You could even try logging into you own account with your own username but the wrong password loads of times and see what happens. Will it be locked out? Will your machine be locked out? How does your Cloud Srvice Provider respond and are you informed in any way that an intrsuion attempt has been made using your account ? How many times can anypne try to access your account without you being notifed of it? And from where are they trying to get to your data and why?
Personally I know of only one Cloud Service Provider that has also taken these questions into account and that’s Red Cloud IT in Sweden.

Is there a solution then?

Yeah. I told you so in the beginning and even if choose not to use what I suggest, I highly recommend that you start thinking about these things properly because these problem will accelerate in the future. Just take a look at all the hacktivism witj DDOS attacks,going on out there. It’s just a start because the Internet is still young.

First of all, and this is extremely important you realize, , it doesn’t matter if you hosting your own servers or if you’re using VPS (Virtual Private Servers) hosted somewhere else or even if you’re a Cloud Service Provider. The basic principal stands: if you are providing any kind of service to users using the Windows Authentication mechanism you should be reading this and hopefully my point has come across.

If you’re having brute force attacks on your Windows systems today and I’m pretty sure you do (just turn on logon auditing and I’m sure you’ll see you have more than you actually thought you did, *for some odd reason this is NOT turned on by defaut in Windows*) there’s a few things you should be doing (that I’m guessing you’re not beacuse you’re not a cyborg and you need to sleep, meet your friends and family and actually be doing something productive during your work hours). On the other hand, if you are doing all of these things I’m guessing you have quite a large IT staff with a lot of time on their hands. Good for you. Call me and I’ll apply for a position.

First of all. Block the attack.

You need the attack to stop! Instantly. This is of course your first priority That’s basically blocking it in the firewall, either in the local Windows firewall or the external one, it’s actually up to you which way is the easiest one. The reason is that you don’t want to be wasting CPU and RAM and bandwidth on these people (or botnets)  and of course, you don’t want them to actually succeed in logging on (should you have a lousy password policy in place ) or even them disguising a real intrusion attempt behind a DDOS attack to fill your logfiles and hide themselves in there. (Yes, it’s not an uncommon method). There’s also quite a few reports of DDOS attacks being used to disguise the actual reason for it which is to find out what security measures are in places for future reference. The “know your enemy principal”.

Second. Trace the attack. From where did it come?

Second , you need to find out from where the attack originated and what username was used. This is because you want to know if it is a competitor trying to hack you and access your corporate data or if you find yourself in the interesting position of your own username trying to login from sunny Brazil and you’re just not in Brazil (although you’d love to be) . You’re in Chicago looking at winter. Somethng’s up.
You also want to see if it’s a former employee trying to log on and so on .. This is stuff you need to know and keep track of since there may be legal issues involved further down the line.

Points one and two , you want to be handled in real time. There’s no use for you to find out two days after the attack that something actually happened. You want it stopped, reported and handled as it happens.

The legal stuff.

Third, you need to decide what to do with your information. Should it be handed over to the legal departement, your boss, the police or is it just “nothing” and can be discarded ?

So. “What would you suggest as a solution then” ? 

The easiest and most cost efficient way to handle brute force attacks on Windows server is to have an automated sysem to block, track and report each attack and that’s where Syspeace comes into play.

Syspeace is a locally installed Windows service, thus using a minimum of system resources,  that monitors the server for unwanted logon attempts and blocks the intruders in real time in the local firewall based on the rules you’ve set up. For instance “if this IP address has failed logging on 20 times during the last 30 minutes then block it completely for 5 hours and send me an email about it”

This means that you can for instance set up a blocking rule that is you “Account lockout policy – 1” in your rules and that way simply blocking the bruteforce attack but not locking your users accounts and causing them unecesseray disruption.

Since Syspeace monitors the Windows Authentication logon oprocess, it doesn’t matter what firewall your using or what ports you’re using, the monitoring and blocking is done where the actual login attempts is made and therefore caught and handled automatically.

Once the intruders IP address is blocked, it’s blocked on ALL ports from that server which means that if you have other services also running on it (like FTP or well.. anyhting really) those ports and services are also protected instantly from the attacker. Not giving them the chance to find other ways of gaining access to that server through exploits.

A few other features in Syspeace

A few other nice features with Syspeace is for instance the GBL (Global BlackLlist) where every Syspeace installation around the world , reports each attack to a databse where they are examined and weighed and , if deemed “meneace to Internet and all of mankind” the database is then propagated to all other Syspeace installations. In this way, you’re preemptively protected when the bad guys come knocking on your door. So far , there has been over 200 000 brute force attcks blocked by Syspeace worldwide (and that’s just since mid July 2012) and some of them have made it to the GBL. Lucky them.
Of course there are white lists and stuff, giving you the ability to have your customers or internal users keep hammering you servers all day long if they (and you) want  without being blocked out.

There’s also the Attack Cintrol section that gives you the ability to sort out information about successful and failed logons, findind the ones that are trying to stay under the radar, viewing reports.
You get daily and weekly reports email to you and each attack is also mailed to you with detailed but easy to understand information from where the attack originated including country, what username was used and how many times they actually tried to hack or overload you. This gives you the ability to quickly see of it’s something you should be taking care of or just carry on with your working day and leave it be with a smile on your face.

The GUI is easy to use (and there’s an even easier coming up in the next version) so there’s no need to hire costly consultants to be up & running or start using various scripts and change parameters in them to suite you needs and hope for the best and hope they don’t hang your servers.

Syspeace also protects the Microsoft Exchange Server Connectors from being attacked.

There is a Windows 2003 version coming out and there will be more features added as we go. The roadmap and to-do list is ..well.. extensive to put it mildly.

The licensing is not steep, I’d even dare say cheap and it’s extremely flexible.

As an example. If you buy yourself a new server today (evereybody loves new toys ) , you install Syspeace on it and then you get yourself a second server in 4 months. You can easily align the licensing renewal dates for both servers , not having to keep track of licensing renewals scattered over the entire year. If you’re up for , you could even byt yourslef just a one months license. Or a week. I’s up to you and what needs you have.

Download a free trial and see for yourself.
We know it works and so does all of the people around the world who are already running it.

Syspeace – let the silence do the talking

Syspeace logo

Syspeace – bruteforce prevention for Windows servers

 

Blog post written by Juha Jurvanen
Senior IT consultant in backup, IT securiy, server operations and cloud