Syspeace , intrusion prevention for Windows servers, has blocked,tracked and reported over 3.1 Million bruteforce and dictionary attacks targeted worldwide at Windows Servers running Remote Desktop , Exchange, Citrix, Sharepoint, SQL Server and other services.
Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003
We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.
Apparently root certificates are not automatically updated on Windows Server 2003:
> The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.
> If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.
This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki
Syspeace for intrusion prevention for the entire server instead of specific applications or services such as FileZilla Server
If you’re managing a server and host various applications and services all of them are reachable for your users and and customers but most likely, and quite often, they’re also reachable for others to try to log in.
To be costeffective, you could be using using a Terminal Server (or Remote desktop Server) and you’ve also got for instance a FileZilla FTP Server to ease file transfers (or the Microsoft IIS FTP server, my hunch is that these two are the most common ones if you’re running a Windows Server environment) and there’s a web interface for the remote applications and so on . There might also be other services on the same server/servers.
Built in intrusion prevention in applications or Windows Server
Some software actually have brute force prevention built into them, such as the FileZilla FTP Server (although, keep in mind that is it not enabled by default) and there could be other software installed that have intrusion prevention built into them. Not within Windows Server though and there are quite a few articles on this blog explaining how it works such as this one about securing your Exchange OWA
An atacker will first portscan your server, search for open ports and try to figure out what services and applications you’re running on them. Even if you’ve changed the default ports, quite often the application will actually reveal itself in the header what it is and what version it is.
You can for instance simply do a telnet session to the port in question and see what your applications actually reveal about themselves.
Simply start a telnet client and connect to the port you’re interested in such as port 25 for SMTP (email) or port 21 for FTP and you’d probably get at least some information on what is running on the server. To gather more detailed and complex information, you probably be using software like nmap.
After that, tbey’ll simply use automated scripts to try and login. If there is a block in some way on for instance FileZilla FTP Server they’ll simply move on to the next port/service , like the RDWeb interface for Remote Desktop and RemoteAPP services and continue the attack since they’d only been blocked on the FTP level so far (usually port 21) Here’s a >previous article describing parts of the anatomy in a hacking attack written by Juha Jurvanen.
If you’re hosting a multiple software and srevices on a server and each of them have brute force prevention builtin , they’ll only block the attack within their own part of the system.
FileZilla will block the brute force on FTP but nothing else.
Using Syspeace as your HIPS , Host intrusion Prevention System for Windows Servers
A key difference using Syspeace as a HIPS (Host Intrusion Prevention System) is that it will block the attacker entirely on all ports if they trigger any of the detectors, rendering the attacker unable to communicate at all with your server on any port (even ping), thus automatically protecting any other service you have running on it.
To illustrate this with something in the ”real” world.
If you’ve got a house with multiple doors, the attacker would first try their keycard/key in one of the doors to try to gain access into the house until an alarm is triggered and they would have to move on, but only for that specific door.
After that they’d keep using the keycard/key on the next door and so on.
With Syspeace, they’d only be able to use the keycard on the first door until the alarm is triggered and after that they would be automatically blocked from even trying to use the keycard on any of the other doors since the doors would have ”magically” disappeared for them and would be out of reach for them. It would be as if the actual building itself would have disappeared for them.
Download a fully functional, free Syspeace trial for intrusion prevention or even if you’re under attack of a brute force or dictionary attack
Have a look at the Syspeace website and try the fully functional trial for it and see how it can help you to easily and quickly brute force protect your server. We’ve had users downnloading Syspeace and implementing it in minutes during a dictionary attack to have Syspeace automatically deal with it and to block, trace and report the attack. Since the trial is fully functional and free and it only takes a few minutes to set it up, it can be an easy solution to handle an ongoing attack.
Sysoeace supports Windows Server 2003 and on (including the Windows Server Small Business versions), SQL Server, Remote Desktop, Exchange Server, Sharepoint, Exchange OWA, RDWeb , Citrix and more. Out of the box. It actually also support Windows 7 and Windows 8 but please refer to his article on when Syspeace is actually useful for you and when it’s not.
Syspeace has blocked more than 3 126 500 brute force and dictionary attackas targetaed agains Windows Servers worldwide.
The Syspeace team has also developed a FileZilla FTP Detector that is in beta and also an Microsoft IIS FTP detector.
We’ve also released a detector for selfhosted WordPress and we’ve released the Syspeace API for .PHP and .NET to enable our users to develop their own intrusion prevention for applications instead of being forced to develop protection into applications themselves from scratch.
The Syspeace API can also be used to protect spcific websites if you’re hostng multiple websites.
What is a brute force attack or dictionary attack really and how would Syspeace help?
Essentially it is someone who is trying to guess the right combination of username and password to gain access into your serveers for example a Microsoft Exchange Serve and the OWA (Outlook Web Access), Terminal Server/RDS (Remote Desktop Server), Sharepoint, SQL Server, Citrix and so on.
The attacker uses automated software to try to guess the right combination to be able to login and steal data or to elevate their rights. One attack can render in thousands of login attempts, it can go on for hours or days and it is a heavy load for the server to handle that in regards of CPU, RAM, network traffic and so on.
Each login request has to validated and checked if it is legitimate or not.
A comparison of a brute force attack and the real world be be this (this is an excerpt from the Syspeace website)
”Imagine that your company has a physical facility. If someone repeatedly tries to gain access with a fake key or invalid key card, you would expect that your security guards would notice and not let the intruder through”
Aren’t there builtin protection into Windows Server against these attacks ?
In short. No.
The only built in mechanisms in Windows Servers are basically the ability to enforce strong passwords and to enable account lockout.
To enable strong passwords is a good thing, even if you’re running an intrusion prevention software for Windows like Syspeace.
If you have easy-to-guess passwords, it won’t really matter what protection you’re sunning since if a login is valid, no software would block it anyway. A valid username and password is always a valid login. So, please ensure you require users to use strong and complex passwords and allow for Syspeace to capture the attack.
The second method , ie. account lockout, might actaully do you more harm than good and here’s why.
If the system you’re protecting is for instance an Exchange Server or an RDS Server and it is probably facing he Intenet to provide service for your users or customers. To figure out a username doesn’t have to be that complicated fo an attacker. They’ll first try to understand the email policy naming convention, scavenge the Internet for metadata and the simply start trying to login using the email address as the username (since this is quite often a valid login name) and try guess to guess the password.
If you’ve enabled the Account Lockout Policy the affected users accounts will be constantly locked since the attacker will automate the attack and try thousands of time for each user they know are in the system.
If you’ve been hit with an attack and it is just from a single IP address, you’d probably just block it in the Windows Firewall (or the external firewall) and unlock the affected users accounts and that’s it. Hopefully you’d also report it.
Now, what if the attack is actually done from hundreds or thousands of computers at the same time ? Blocking them manually isn’t really an option is it ?
One simple and quick solution is to download the fully functional trial of Syspeace , install it and have Syspeace block, track and report the attack.
How can Syspeace help as an Intrusion Prevention for Windows Servers and do I set it up?
The idea behind Syspeace is the ease of use and independence from other software and appliances and also not to enforce a change in your network or infrastructure.
Some systems require you to change your entire infrastructure and put for instance a high performing proxy appliance or server in front of the network. Other systems are bundled with antivruses and other systems, requiring you use consultants and experts to get the systems running.
Syspeace is simply installed on the servers you want to protect. The installation process takes about 4-5 minutes maximum and that’s it. You’re done. The server is protected against brute force attacks. Out of the box.
Th Syspeace GUI is easy to understand and easy to manage. You don’t have to be a security expert to manage Syspeace.
If you want to move a Syspeace license from one server to antoher , that’s also easily done thanks to the floating licensing model within Syspeace. The length of the license can also vary so you’re not forced into buying a 1 year license if you don’t want to . You can a license fo 1 month. or 3 months, Whatever suits your needs.
The pricing of Syspeace is more or less equivavlent to an antivirus and it is a per-server based licensing so it’s not based up on the number of users you’re servicing. 1 license, 1 server. That’s it.
These are some of the features included in Syspeace
Secure login attempts on Windows server
The Windows server is secured by watching the result of the Logon process. If multiple logon attempts fails, actions can be taken. This works on Windows Server 2003 and on and is also automatically protection for Remote Desktop Services, Sharepoint, Exchange OWA, Citrix and basically anthing that renders an eventid of 4635 or eventid 529 (we do monitor more events also)
Secure login to Exchange Serevr SMTP connectors
The Exchange server is usually exposed by the OWA web site that is a part of Exchange. Syspeace not only protects the OWA but also logon attempts made by connectors.
Secure login to SQL Server
Many SQL-server installations expose a logon-possibility either by AD-integration or by logon by using SQL Authentication. Syspeace protects both methods
Multiple customizable rules
Syspeace can be tailored to fit your specific needs by customizing the rule-base. The rules are executed in real-time on all successful and unsuccessful logon attempts and appropriate measures are taken.
Send mail when a block is done
Whenever a block (rule) is entered in the firewall, you have the option to be notified by mail.
Send daily mail with aggregated intrusion information both as plain text and attached CSV file
Each day, there is a summary created that you can have mailed to you or the people that you see will benefit from it.
Send weekly mail with aggregated intrusion information both as plain text and attached CSV file
If the daily summary is too granular, a weekly summary is also available in the same way.
Uses local whitelist
Some computers should never be blocked in your environment. These computers can be listed in a local Whitelist so that Syspeace will never block these IP addresses.
Uses local blacklist
The local blacklist is a opportunity to force a block to a specific set of computers that you never want to connect to your server.
Uses global blacklist
Syspeace comes with a Global Blacklist. This list is maintained by Syspeace central servers and distributed once a day to your Syspeace installation. The Global Blacklist contains computers that have tried to break the security on many other sites that run Syspeace.
Searchable log of login/intrusion attempts
Syspeace have the ability to in a very easy way present information about who is attacking you and when it happened. The data is searchable, aggregated and presented in a matter of a few simple clicks.
View information on why a block was made
A block may be initiated from many different sources. Together with the block is also information stored about the origin. It is always possible to back track a block.
Access report to quickly find related information in the attempt log
The Access report takes the reporting to a new level. Here, it is possible to further aggregate and investigate what happens to your server.
Updates are free and new features are included. We’ve also released the ability write your own Syspeace Detectors thurough the Syspeace API to protect for instance a webapplication or write a special detector for your Windows applications.
Who should use Syspeace then ?
Syspeace isn’t targeted at any special types of environments or companies, we believe that Syspeace is a natural part to use for any server administrator, regardless of if you’re a Cloud Service provider or managing you own servers or if you’re an outsourcing company, hosting company or even if the servers are physical or virtual.
Syspeace can help in any scenario so the short answer is, any system admininstrator managing a Windows Server from Windows Server 2003 and on really.
It is not a ”silver bullet” for security but a piece of the security puzzle we believ you’ll need to ensure the protection of your users or customers and it solves a problem easily that no one hasn’t really been able to handle earlier.
If yuu’re up for reading more about intrusion prevention for Windows Servers, please have a look at the earlier articles written here on this blog or have simply go to the Syspeace website for more information and download a trial.
We’re happy to announce that the new version of Syspeace , intrusion prevention for #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix and more, has been released today. For version info, please refer to Syspeace 2.5.2 release notes.