SBS 2003 RDP lockout policy

[MobileTechie]

I'm working on a server which might have been compromised (very large network bandwidth and some suspicious processes running). It also has some other problems I won't go into.

Anyway - I'm struggling to set the account lockout policy for RDP use. I want to lockout any accounts, including the domain admin, after 5 attempts. I've tried setting this in the specific Account Lockout GPO that already exists in SBS 2003's policy list but this doesn't change it - when I try more than 5 failed logins using the admin account in RDP I can still login ok using the correct password.

What am I likely to be missing here?

 

[MobileTechie]

Anyone come across this before?

 

[YeOldeStonecat]

Haven't...isn't the admin account excluded from the default GPO?
Run gpresult /r on it and see if it's being dropped.

 

[MobileTechie]

gpresult lists the policy OK.

gpresult /r doesn't appear to exist - did you mean to write a different letter?

 

[YeOldeStonecat]

gpresult /r doesn't appear to exist - did you mean to write a different letter?

Forgot you're doing it from a server....the /r is for clients. I'm tired past several days and basic stuff is clearly slipping past me.
Open up the GPO....delegation, advanced...highlight domain admins...notice the columns 'n checkboxes....notice the "apply group policy" row. Compare that to the domain users group.
Make sure you have a back door domain admin account if you do this.

 

[MobileTechie]

Thanks for that. I checked the apply policy now boxes but still the policy doesn't work.

 

[MobileTechie]

Hmm this is getting more urgent now because they are fully under attack. I removed the software the hackers had installed and changed user names etc. Now an address is hammering the admin account with login attempts and another is trying to login using variations of the names of the staff.

I could really do with the lockout working!

So any help much appreciated. I wonder if I'm missing something obvious because I tried to set it on another SBS 2003 server I have access to and that also doesn't work.

 

[YeOldeStonecat]

In trying another approach to buy some time....does the router at the edge have a decent enough firewall feature set to allow you to block traffic from certain IPs? If so, just put a deny-all block in the ACL to the IP(s) that the grinding attacks are coming from.

 

[MobileTechie]

In trying another approach to buy some time....does the router at the edge have a decent enough firewall feature set to allow you to block traffic from certain IPs? If so, just put a deny-all block in the ACL to the IP(s) that the grinding attacks are coming from.

Yeah i've done that so the attacks are stopped for the time being.

 

[ITMAN]

Can't you change the rdp port?

 

[MobileTechie]

Yes there are workarounds but I really ought to be able to change the lockout policy because it's also set up for RWW.

 

[YeOldeStonecat]

Just have 443 and 4125 open, for RWW. Don't need 3389 or other alternate ports for RDP because RWW handles the redirects for RDP across 443. And it goes without saying never have port 80 open.

 

[MobileTechie]

I didn't know that about 443 - thanks.

They're still knocking on the door! I keep blocking their IP and reporting them to the address owners but they pop up in a different country a day later.

They're trying common user names like "manager" and "sales" right now. They've started to produce logon type 3 events which correlates to RWW.

I think the existence of a RWW logon screen with no lockout is too much to resist.

I'm having all the user names changed to non-standard formats to thwart social engineering attempts.

Any idea what I could be doing wrong with the lockout policy? If I posted a gpresult/ RSOP log would that help?

 

[MobileTechie]

According to an MVP I asked - you cannot have a lockout for the admin account on SBS 2003, only the other accounts. That would explain it. Changing the name of it is the best you can do apparently.

 

[YeOldeStonecat]

That was kind of my suspicion, but I wasn't sure. I hadn't tried undoing the exception on the admin account deep in the group policy advanced section. Guess it's over-ridden deeper. I don't really worry about having Administrator exposed because I have good long passwords for my clients on those setups that I do have 3389 open/forwarded to the server....although to be honest, I don't have many servers exposed with 3389 especially if there's SBS thus I'd have RWW instead and 3389 shut.

 

[pcman2010]

Do you have a firewall at the border? Something to think about, to require authentication to the border router before they see the login screen using a VPN gateway. I had a similar problem before and blocked all ips with the exception of a few static ips on the border router. Good luck