How to stop unauthorized attemps to windows 2008 server r2

June 5, 2012 at 07:07:07
Specs: Windows server 2008 r2, quad core intel/2 gb
these attempts are so many and periodically. sometimes they up to 30 attempts in only 1 minute, and it happens almost 24 hours nonstop

--start quote--
An account failed to log on.
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain: WORKGROUP
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: --random name--
Source Network Address: --random ip --
Source Port: 13960
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
--end quote--

See More: How to stop unauthorized attemps to windows 2008 server r2

Report •

June 5, 2012 at 10:00:24
Source Network Address: --random ip --

How random are the IPs? Do you see any repeats? Have you done a whois on any of them & contacted the administrator? Is your server in the DMZ with a public IP or is it behind a router.

I would have the server behind a router with an internal IP address & just forward the ports that are necessary to allow remote access if needed. If it's a web server, you might want to host it separately from your network.

How do you know when a politician is lying? His mouth is moving.

Report •

June 5, 2012 at 12:27:15
Guess you could run wireshark for some more clues.

Hang up and live.

Report •

June 5, 2012 at 18:53:50
@guapo: thank you for your help,
could i send you the IPs via email or else (my email is: mpsland(at)live(dot)com) quiet random and without clear pattern. but yes there are repeat.
i used for whois, i only got information about location (from foreign country) and not clear info about contact and referral url. so i did not contact them

my server is a web server and has a public IP and directly connected to ISP without a router.

i am now learning how to do your suggestion. thanks again for your help

Report •

Related Solutions

June 5, 2012 at 19:02:27
thank you for your help
i am downloading wireshark now. what should i capture? anything specific? thank you very much

Report •

June 15, 2012 at 08:52:58
NTLM handshakes for starters.



Report •

Ask Question