Various brute force prevention methods for Windows servers pros and cons
Posted on October 16, 2012 in Syspeace on Wordpress
Intro on brute force prevention tactics and some misconceptions
Protection from brute force attempts on Windows servers has always been a nightmare and would continue to be so if not .. Yes, I admit, I will come up with a solution further down.
Most system administrators with selfrespect start off with the best of intentions to actually keep track of brute force attempts but eventually give up because of the sheer number of attacks that occur daily.
Others, unfortunately, believe that a firewall takes care of the problem which it doesnt or that an account lockout policy is the answer. Neither of them is and Ill show you why.
The firewall approach:
Think about it. What does a firewall actually do ? The role of the firewall is to block traffic on unwanted ports and to drop portscans and variuos SYN FLOOD attacks. Thats about it. A firewall is basically a harsch doorman deciding who gets in to speak with the guys on the inside and who doesnt.
If an attacker actually connects on a valid port , the traffic is redirected/port forwarded to the server in question lets say the webmail interface of a Microsoft Exchange Server or a Microsoft Windows Terminal Server or a Citrix Server. Once the attacker is there, the actual logon request is handled by the server,not the firewall. The logon process is managed by the Windows Authentication process (which in turn may be validated against Active Directoy or a local user database using SAM). The firewall is already out of the picture really since it has no connection with the Windws server apart from the TCP connection and keeping it alive really. They dont communicate the result of the logon process between eachother.
Also, a changing of from standard ports wont help you much, will it ? The logon process is still managed by the Windows Server although you will get rid a of a lot of portscans and lazy background, script kiddie attempts if youre using non standard ports. Basically you get rid of the script kiddies but the problem isnt solved, the traffic is still redirected/port forwarded to the server that does the actual authentication.
Using for instance a Remote Desktop Gateway wont handle the problem either. Using a RDP Gateway minimizes the attack surface, yes, but it is still reachable and the user logons still have to be validated. The problem is with any server that services logon request basically, regardless of on what ports and how they get there. That is Microsoft Windows server, Exchange Server, Citrix, Sharepoint, CRM , Terminal server and so on . The list can probably go on and on.
Theres also the risk of stuff stops working each time you apply some updates or patches to your Windows Servers if you start changing standard ports or standard configurations. Its happened to me a few times and its not that amusing to be honest when youve got 1000 users not being able to log in beacuse youve just done your job and patched the servers to keep peolpe datas safe. Trust me, thats not a good Monday morning.
The VPN approach:
Yes. Thats a safer approach but also here we do have some issues. First of all, its not that easy to keep track of VPN certificates, to set all of it up and manage all the licensing costs (that can be quite significant really ) and (sometimes costly) hardware you need to have in place. Historically there has also always been performance issues with most VPN solutions since all traffic is directed through one or a few VPN servers / connectors. Some of them also charge you for the bandwidth you want it to be able to use for VPN connections or charge you for the number of simultaneous VPN connections, A VPN solution can be quite costly as an initial investment and taking into account all of the administration involved in it.
You also probably wont be demanding your users to have a VPN connection to the Microsoft Exchange OWA etiher snce the whole idea of the OWA i that its supposed to easy to reach from anywhere. I know there are some companies actually requiring VPN even for OWA and thats just fine I guess but the more were moving our data and applications to cloud services, this hassle with different VPNs and stuff will eventually be fading into the dark corners of the Internet (thats my personal belief anyways). The thing is that your users dont want to be tied down by complicated VPN clients and stuff, users nowdays are used stuff just working and it has to be easy and intuititive for them. The days of the System Administrators from Hell implementing all kinds of complex solutions to keep stuff secure and forcing users to having very specific and complex ways of accessing data are over. They were good times, good times but theyre over. Deal with it.
The IDS/IPS approach:
Using a centralized IDS/IPS This is a more efficient method, yes. The downside is, most of these systems require you to change your infrastructure and get specific, costly hardware, licenses and costly consultants to get it up and running. And someone needs to monitor it, take care of it and so on. There are parllells to the VPN approach here although an IDS/IPS does a while lot more such as examines all the network traffic, examines it for malicious code and so on. Im not sure actually if an IDS/IPS can communicate with the Windows Server Authentication Process so Ill actually wont say anything about that. I would presume they can, otherwise I fail to see the point (from the brute force logon prespective, that is) and youd still need to handle the logon attempt on the Windows server.
The Account Lockout Policy approach:
The acccount lockout method is also flawed due to the fact that an attacker can quite easily cause a DOS (Denial of Service) simply by hammering your server with invalid logon request but with valid usernames, thus rendering the accounts unusable for the valid users. Basically, all he (or she) needs to know is the user logon name and in many system , its not tha hard to guess (try the companyname\username or the mail address for the user since its quite often also a valid logon name if you have a look at the properties of the user in Active Directory Users and Group snap-in)
The Cloud Computing approach
We are shifting more and more of our data and applications into various Cloud Services (like it or not but, its a fact and you know it). This way we do get rid of some of these problems on our own servers and hopefully, your Cloud Service provider actually has a plan for these scenarios and has the necessary surveillance software and systems in place. If youre using a Cloud Computing platform based on Windows Servers, you should actually ask your provider how they handle brute force attempts on their servers. Most likely they will give you one or more of the scenarios described above and, as Ive showed you, they are not adequate to handle the task at hand. Theyre just not up for the job. Feel free to ask your own provider and see what answer you get. My guess is .. mumbo jumbo but basically , they dont have anything in place really, more or less.
You could even try logging into you own account with your own username but the wrong password loads of times and see what happens. Will it be locked out? Will your machine be locked out? How does your Cloud Srvice Provider respond and are you informed in any way that an intrsuion attempt has been made using your account ? How many times can anypne try to access your account without you being notifed of it? And from where are they trying to get to your data and why?
Personally I know of only one Cloud Service Provider that has also taken these questions into account and thats Red Cloud IT in Sweden.
Is there a solution then?
Yeah. I told you so in the beginning and even if choose not to use what I suggest, I highly recommend that you start thinking about these things properly because these problem will accelerate in the future. Just take a look at all the hacktivism witj DDOS attacks,going on out there. Its just a start because the Internet is still young.
First of all, and this is extremely important you realize, , it doesnt matter if you hosting your own servers or if youre using VPS (Virtual Private Servers) hosted somewhere else or even if youre a Cloud Service Provider. The basic principal stands: if you are providing any kind of service to users using the Windows Authentication mechanism you should be reading this and hopefully my point has come across.
If youre having brute force attacks on your Windows systems today and Im pretty sure you do (just turn on logon auditing and Im sure youll see you have more than you actually thought you did, *for some odd reason this is NOT turned on by defaut in Windows*) theres a few things you should be doing (that Im guessing youre not beacuse youre not a cyborg and you need to sleep, meet your friends and family and actually be doing something productive during your work hours). On the other hand, if you are doing all of these things Im guessing you have quite a large IT staff with a lot of time on their hands. Good for you. Call me and Ill apply for a position.
First of all. Block the attack.
You need the attack to stop! Instantly. This is of course your first priority Thats basically blocking it in the firewall, either in the local Windows firewall or the external one, its actually up to you which way is the easiest one. The reason is that you dont want to be wasting CPU and RAM and bandwidth on these people (or botnets) and of course, you dont want them to actually succeed in logging on (should you have a lousy password policy in place ) or even them disguising a real intrusion attempt behind a DDOS attack to fill your logfiles and hide themselves in there. (Yes, its not an uncommon method). Theres also quite a few reports of DDOS attacks being used to disguise the actual reason for it which is to find out what security measures are in places for future reference. The know your enemy principal.
Second. Trace the attack. From where did it come?
Second , you need to find out from where the attack originated and what username was used. This is because you want to know if it is a competitor trying to hack you and access your corporate data or if you find yourself in the interesting position of your own username trying to login from sunny Brazil and youre just not in Brazil (although youd love to be) . Youre in Chicago looking at winter. Somethngs up.
You also want to see if its a former employee trying to log on and so on .. This is stuff you need to know and keep track of since there may be legal issues involved further down the line.
Points one and two , you want to be handled in real time. Theres no use for you to find out two days after the attack that something actually happened. You want it stopped, reported and handled as it happens.
The legal stuff.
Third, you need to decide what to do with your information. Should it be handed over to the legal departement, your boss, the police or is it just nothing and can be discarded ?
So. What would you suggest as a solution then ?
The easiest and most cost efficient way to handle brute force attacks on Windows server is to have an automated sysem to block, track and report each attack and thats where Syspeace comes into play.
Syspeace is a locally installed Windows service, thus using a minimum of system resources, that monitors the server for unwanted logon attempts and blocks the intruders in real time in the local firewall based on the rules youve set up. For instance if this IP address has failed logging on 20 times during the last 30 minutes then block it completely for 5 hours and send me an email about it
This means that you can for instance set up a blocking rule that is you Account lockout policy 1″ in your rules and that way simply blocking the bruteforce attack but not locking your users accounts and causing them unecesseray disruption.
Since Syspeace monitors the Windows Authentication logon oprocess, it doesnt matter what firewall your using or what ports youre using, the monitoring and blocking is done where the actual login attempts is made and therefore caught and handled automatically.
Once the intruders IP address is blocked, its blocked on ALL ports from that server which means that if you have other services also running on it (like FTP or well.. anyhting really) those ports and services are also protected instantly from the attacker. Not giving them the chance to find other ways of gaining access to that server through exploits.
A few other features in Syspeace
A few other nice features with Syspeace is for instance the GBL (Global BlackLlist) where every Syspeace installation around the world , reports each attack to a databse where they are examined and weighed and , if deemed meneace to Internet and all of mankind the database is then propagated to all other Syspeace installations. In this way, youre preemptively protected when the bad guys come knocking on your door. So far , there has been over 200 000 brute force attcks blocked by Syspeace worldwide (and thats just since mid July 2012) and some of them have made it to the GBL. Lucky them.
Of course there are white lists and stuff, giving you the ability to have your customers or internal users keep hammering you servers all day long if they (and you) want without being blocked out.
Theres also the Attack Cintrol section that gives you the ability to sort out information about successful and failed logons, findind the ones that are trying to stay under the radar, viewing reports.
You get daily and weekly reports email to you and each attack is also mailed to you with detailed but easy to understand information from where the attack originated including country, what username was used and how many times they actually tried to hack or overload you. This gives you the ability to quickly see of its something you should be taking care of or just carry on with your working day and leave it be with a smile on your face.
The GUI is easy to use (and theres an even easier coming up in the next version) so theres no need to hire costly consultants to be up & running or start using various scripts and change parameters in them to suite you needs and hope for the best and hope they dont hang your servers.
Syspeace also protects the Microsoft Exchange Server Connectors from being attacked.
There is a Windows 2003 version coming out and there will be more features added as we go. The roadmap and to-do list is ..well.. extensive to put it mildly.
The licensing is not steep, Id even dare say cheap and its extremely flexible.
As an example. If you buy yourself a new server today (evereybody loves new toys ) , you install Syspeace on it and then you get yourself a second server in 4 months. You can easily align the licensing renewal dates for both servers , not having to keep track of licensing renewals scattered over the entire year. If youre up for , you could even byt yourslef just a one months license. Or a week. Is up to you and what needs you have.
Download a free trial and see for yourself.
Syspeace bruteforce prevention for Windows servers
If youre up for I've also written a few other posts on securing server operations on Jufflan on Wordpress
Posted on October 16, 2012 in Syspeace on Wordpress
Intro on brute force prevention tactics and some misconceptions
Protection from brute force attempts on Windows servers has always been a nightmare and would continue to be so if not .. Yes, I admit, I will come up with a solution further down.
Most system administrators with selfrespect start off with the best of intentions to actually keep track of brute force attempts but eventually give up because of the sheer number of attacks that occur daily.
Others, unfortunately, believe that a firewall takes care of the problem which it doesnt or that an account lockout policy is the answer. Neither of them is and Ill show you why.
The firewall approach:
Think about it. What does a firewall actually do ? The role of the firewall is to block traffic on unwanted ports and to drop portscans and variuos SYN FLOOD attacks. Thats about it. A firewall is basically a harsch doorman deciding who gets in to speak with the guys on the inside and who doesnt.
If an attacker actually connects on a valid port , the traffic is redirected/port forwarded to the server in question lets say the webmail interface of a Microsoft Exchange Server or a Microsoft Windows Terminal Server or a Citrix Server. Once the attacker is there, the actual logon request is handled by the server,not the firewall. The logon process is managed by the Windows Authentication process (which in turn may be validated against Active Directoy or a local user database using SAM). The firewall is already out of the picture really since it has no connection with the Windws server apart from the TCP connection and keeping it alive really. They dont communicate the result of the logon process between eachother.
Also, a changing of from standard ports wont help you much, will it ? The logon process is still managed by the Windows Server although you will get rid a of a lot of portscans and lazy background, script kiddie attempts if youre using non standard ports. Basically you get rid of the script kiddies but the problem isnt solved, the traffic is still redirected/port forwarded to the server that does the actual authentication.
Using for instance a Remote Desktop Gateway wont handle the problem either. Using a RDP Gateway minimizes the attack surface, yes, but it is still reachable and the user logons still have to be validated. The problem is with any server that services logon request basically, regardless of on what ports and how they get there. That is Microsoft Windows server, Exchange Server, Citrix, Sharepoint, CRM , Terminal server and so on . The list can probably go on and on.
Theres also the risk of stuff stops working each time you apply some updates or patches to your Windows Servers if you start changing standard ports or standard configurations. Its happened to me a few times and its not that amusing to be honest when youve got 1000 users not being able to log in beacuse youve just done your job and patched the servers to keep peolpe datas safe. Trust me, thats not a good Monday morning.
The VPN approach:
Yes. Thats a safer approach but also here we do have some issues. First of all, its not that easy to keep track of VPN certificates, to set all of it up and manage all the licensing costs (that can be quite significant really ) and (sometimes costly) hardware you need to have in place. Historically there has also always been performance issues with most VPN solutions since all traffic is directed through one or a few VPN servers / connectors. Some of them also charge you for the bandwidth you want it to be able to use for VPN connections or charge you for the number of simultaneous VPN connections, A VPN solution can be quite costly as an initial investment and taking into account all of the administration involved in it.
You also probably wont be demanding your users to have a VPN connection to the Microsoft Exchange OWA etiher snce the whole idea of the OWA i that its supposed to easy to reach from anywhere. I know there are some companies actually requiring VPN even for OWA and thats just fine I guess but the more were moving our data and applications to cloud services, this hassle with different VPNs and stuff will eventually be fading into the dark corners of the Internet (thats my personal belief anyways). The thing is that your users dont want to be tied down by complicated VPN clients and stuff, users nowdays are used stuff just working and it has to be easy and intuititive for them. The days of the System Administrators from Hell implementing all kinds of complex solutions to keep stuff secure and forcing users to having very specific and complex ways of accessing data are over. They were good times, good times but theyre over. Deal with it.
The IDS/IPS approach:
Using a centralized IDS/IPS This is a more efficient method, yes. The downside is, most of these systems require you to change your infrastructure and get specific, costly hardware, licenses and costly consultants to get it up and running. And someone needs to monitor it, take care of it and so on. There are parllells to the VPN approach here although an IDS/IPS does a while lot more such as examines all the network traffic, examines it for malicious code and so on. Im not sure actually if an IDS/IPS can communicate with the Windows Server Authentication Process so Ill actually wont say anything about that. I would presume they can, otherwise I fail to see the point (from the brute force logon prespective, that is) and youd still need to handle the logon attempt on the Windows server.
The Account Lockout Policy approach:
The acccount lockout method is also flawed due to the fact that an attacker can quite easily cause a DOS (Denial of Service) simply by hammering your server with invalid logon request but with valid usernames, thus rendering the accounts unusable for the valid users. Basically, all he (or she) needs to know is the user logon name and in many system , its not tha hard to guess (try the companyname\username or the mail address for the user since its quite often also a valid logon name if you have a look at the properties of the user in Active Directory Users and Group snap-in)
The Cloud Computing approach
We are shifting more and more of our data and applications into various Cloud Services (like it or not but, its a fact and you know it). This way we do get rid of some of these problems on our own servers and hopefully, your Cloud Service provider actually has a plan for these scenarios and has the necessary surveillance software and systems in place. If youre using a Cloud Computing platform based on Windows Servers, you should actually ask your provider how they handle brute force attempts on their servers. Most likely they will give you one or more of the scenarios described above and, as Ive showed you, they are not adequate to handle the task at hand. Theyre just not up for the job. Feel free to ask your own provider and see what answer you get. My guess is .. mumbo jumbo but basically , they dont have anything in place really, more or less.
You could even try logging into you own account with your own username but the wrong password loads of times and see what happens. Will it be locked out? Will your machine be locked out? How does your Cloud Srvice Provider respond and are you informed in any way that an intrsuion attempt has been made using your account ? How many times can anypne try to access your account without you being notifed of it? And from where are they trying to get to your data and why?
Personally I know of only one Cloud Service Provider that has also taken these questions into account and thats Red Cloud IT in Sweden.
Is there a solution then?
Yeah. I told you so in the beginning and even if choose not to use what I suggest, I highly recommend that you start thinking about these things properly because these problem will accelerate in the future. Just take a look at all the hacktivism witj DDOS attacks,going on out there. Its just a start because the Internet is still young.
First of all, and this is extremely important you realize, , it doesnt matter if you hosting your own servers or if youre using VPS (Virtual Private Servers) hosted somewhere else or even if youre a Cloud Service Provider. The basic principal stands: if you are providing any kind of service to users using the Windows Authentication mechanism you should be reading this and hopefully my point has come across.
If youre having brute force attacks on your Windows systems today and Im pretty sure you do (just turn on logon auditing and Im sure youll see you have more than you actually thought you did, *for some odd reason this is NOT turned on by defaut in Windows*) theres a few things you should be doing (that Im guessing youre not beacuse youre not a cyborg and you need to sleep, meet your friends and family and actually be doing something productive during your work hours). On the other hand, if you are doing all of these things Im guessing you have quite a large IT staff with a lot of time on their hands. Good for you. Call me and Ill apply for a position.
First of all. Block the attack.
You need the attack to stop! Instantly. This is of course your first priority Thats basically blocking it in the firewall, either in the local Windows firewall or the external one, its actually up to you which way is the easiest one. The reason is that you dont want to be wasting CPU and RAM and bandwidth on these people (or botnets) and of course, you dont want them to actually succeed in logging on (should you have a lousy password policy in place ) or even them disguising a real intrusion attempt behind a DDOS attack to fill your logfiles and hide themselves in there. (Yes, its not an uncommon method). Theres also quite a few reports of DDOS attacks being used to disguise the actual reason for it which is to find out what security measures are in places for future reference. The know your enemy principal.
Second. Trace the attack. From where did it come?
Second , you need to find out from where the attack originated and what username was used. This is because you want to know if it is a competitor trying to hack you and access your corporate data or if you find yourself in the interesting position of your own username trying to login from sunny Brazil and youre just not in Brazil (although youd love to be) . Youre in Chicago looking at winter. Somethngs up.
You also want to see if its a former employee trying to log on and so on .. This is stuff you need to know and keep track of since there may be legal issues involved further down the line.
Points one and two , you want to be handled in real time. Theres no use for you to find out two days after the attack that something actually happened. You want it stopped, reported and handled as it happens.
The legal stuff.
Third, you need to decide what to do with your information. Should it be handed over to the legal departement, your boss, the police or is it just nothing and can be discarded ?
So. What would you suggest as a solution then ?
The easiest and most cost efficient way to handle brute force attacks on Windows server is to have an automated sysem to block, track and report each attack and thats where Syspeace comes into play.
Syspeace is a locally installed Windows service, thus using a minimum of system resources, that monitors the server for unwanted logon attempts and blocks the intruders in real time in the local firewall based on the rules youve set up. For instance if this IP address has failed logging on 20 times during the last 30 minutes then block it completely for 5 hours and send me an email about it
This means that you can for instance set up a blocking rule that is you Account lockout policy 1″ in your rules and that way simply blocking the bruteforce attack but not locking your users accounts and causing them unecesseray disruption.
Since Syspeace monitors the Windows Authentication logon oprocess, it doesnt matter what firewall your using or what ports youre using, the monitoring and blocking is done where the actual login attempts is made and therefore caught and handled automatically.
Once the intruders IP address is blocked, its blocked on ALL ports from that server which means that if you have other services also running on it (like FTP or well.. anyhting really) those ports and services are also protected instantly from the attacker. Not giving them the chance to find other ways of gaining access to that server through exploits.
A few other features in Syspeace
A few other nice features with Syspeace is for instance the GBL (Global BlackLlist) where every Syspeace installation around the world , reports each attack to a databse where they are examined and weighed and , if deemed meneace to Internet and all of mankind the database is then propagated to all other Syspeace installations. In this way, youre preemptively protected when the bad guys come knocking on your door. So far , there has been over 200 000 brute force attcks blocked by Syspeace worldwide (and thats just since mid July 2012) and some of them have made it to the GBL. Lucky them.
Of course there are white lists and stuff, giving you the ability to have your customers or internal users keep hammering you servers all day long if they (and you) want without being blocked out.
Theres also the Attack Cintrol section that gives you the ability to sort out information about successful and failed logons, findind the ones that are trying to stay under the radar, viewing reports.
You get daily and weekly reports email to you and each attack is also mailed to you with detailed but easy to understand information from where the attack originated including country, what username was used and how many times they actually tried to hack or overload you. This gives you the ability to quickly see of its something you should be taking care of or just carry on with your working day and leave it be with a smile on your face.
The GUI is easy to use (and theres an even easier coming up in the next version) so theres no need to hire costly consultants to be up & running or start using various scripts and change parameters in them to suite you needs and hope for the best and hope they dont hang your servers.
Syspeace also protects the Microsoft Exchange Server Connectors from being attacked.
There is a Windows 2003 version coming out and there will be more features added as we go. The roadmap and to-do list is ..well.. extensive to put it mildly.
The licensing is not steep, Id even dare say cheap and its extremely flexible.
As an example. If you buy yourself a new server today (evereybody loves new toys ) , you install Syspeace on it and then you get yourself a second server in 4 months. You can easily align the licensing renewal dates for both servers , not having to keep track of licensing renewals scattered over the entire year. If youre up for , you could even byt yourslef just a one months license. Or a week. Is up to you and what needs you have.
Download a free trial and see for yourself.
Syspeace bruteforce prevention for Windows servers
If youre up for I've also written a few other posts on securing server operations on Jufflan on Wordpress
