SBS 2003 Security

theboyrob · 2 Jan 2014 at 08:34

Over the past few weeks we've had two unwanted connections to our SBS 2003 box, in that without us knowing someone is connecting through remote desktop, being able to successfully log in and then do some of the following:

- Create new Admin accounts
- Remove Software
- Install Software

We are only noticing this when we see software has altered or new users have appeared in Active Directory Users & Computers.

We've changed all domain admin account passwords and thoroughly scanned the server for Malware/Viruses when this first happened but its happened again over the past few days.

My next step was going to be to disable the built in administrator account.

Any more thoughts on what this could be or how to stop it?

Thanks!

#Chri5# · 2 Jan 2014 at 08:51

Do you know how these connections are being made? eg do you expose RDP directly to the Internet? Or are they from the private LAN? Is there any remote control software that could be have been compromised?

Is the server fully patched?

leigh_boy · 2 Jan 2014 at 08:56

look in the event log viewer under security / also have a look at your router logs

theboyrob · 2 Jan 2014 at 09:06

Server fully patched, we have RD port 3389 forwarded to the server through the router.

We really need a remote RD connection for support, I'll change the RD port in the registry to something other than 3389.

leigh_boy · 2 Jan 2014 at 09:17

does your router not support port triggering? e.g so you dont need to mess with the actual port numbers in the reg.

theboyrob · 2 Jan 2014 at 09:54

It does yes, but RD will be listening on 3389 so as soon as this user tries to connect they will be able to connect, if I change the RD port they have no way of knowing what the port has been changed to?

#Chri5# · 2 Jan 2014 at 10:36

I wouldn't be exposing RDP direct to the Internet at all these days, no matter what the port. Can you not make use of a VPN? Or even a tool like TeamViewer?

There is an active underground trade in RDP credentials (see here)

jameshurrell · 2 Jan 2014 at 11:35

You could forward only 443 + 4125 to SBS as was intended - this will allow access to RWW from where you can connect into client or server machines (depending on your rights) without having to forward 3389. But as suggested previously, strong passwords are still a necessity.

Alternatively (and this is what I do with the couple of SBS 2003 clients I have left) install a router capable of acting as a VPN endpoint - establish a VPN then run RDP over the VPN to whichever machine you need.

Edit: Or, if you must have 3389 open and if you are managing SBS from the same static WAN IP address(es) all the time, lock down 3389 to only accept connections from those IP addresses either in the router port forwarding section - depends on your router whether this is possible - or in your edge firewall.

KIA · 2 Jan 2014 at 12:56

theboyrob said:
Server fully patched, we have RD port 3389 forwarded to the server through the router.

Nasty. You really should be using VPN with two-factor authentication.

bigredshark · 2 Jan 2014 at 13:26

KIA said:
Nasty. You should really be using VPN with two-factor authentication.

yes, +1, opening anything like RDP directly to the internet is asking to be hacked these days...

Xez · 2 Jan 2014 at 18:33

Also If your router has the option lock down that port for only a group of IP addresses. It may not be possible if you need to connect from multiple locations with dynamic addresses.