# Windows 2003 Standard Edition: RDP Attacks



## ditoh1 (Jun 8, 2010)

I have been getting attacked for the past 24 hours from a location that I cannot find.
Very strange. Source Network Address and Source Port are not showing anything under Security/Event Viewer.

any ideas anyone?


----------



## decz (Apr 20, 2009)

Change your default RDP port to something other than 3389. Use strong password policies (complexity requirement, lockout duration, must change pwds after x days, etc), make sure only people are actually need RDP access are allowed.


----------



## ditoh1 (Jun 8, 2010)

it is changed to a different port, and the complexity is strong as it is at the moment. My question is, how can I see the source when it doesnt show up on the log files, not how to make it safer.


----------



## decz (Apr 20, 2009)

Does your firewall have a log for the traffic accessing your RDP port forward? If Windows event logs aren't showing you and you know its configured correctly check the firewall. Moreover, can you paste the event audit here. Thanks.


----------



## Nags (Aug 23, 2007)

Yes , DECZ comment is absolutly right..you have to check with firewall. there u can able to find the source.

Thanks


----------



## ditoh1 (Jun 8, 2010)

I can understand that. Thank you decz for the ideas, I just re-read my post and I didnt realize I sounded like such a condescending a***ole.

Unfortunately the server does not have an external firewall or router. It is connected directly to our T1 line. (Not my decision, but what can you do about it)

Here is a copy of the event log:

Logon Failure:
Reason: Unknown user name or bad password
User Name:	www
Domain: [UNDISCLOSED]
Logon Type:	8
Logon Process:	IIS 
Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:	[UNDISCLOSED]
Caller User Name:	[UNDISCLOSED]
Caller Domain:	WEB
Caller Logon ID:	(0x0,0x3E7)
Caller Process ID:	1616
Transited Services:	-
Source Network Address:	-
Source Port:


----------



## avisitor (Jul 13, 2008)

Well, in that snippet you provided, there isn't anything to do with RDP. A logon type 8 is a cleartext logon to a website protected by Basic HTTP authentication. Someone is probably trying to access a protected area of your website.


----------



## ditoh1 (Jun 8, 2010)

Interesting....that is something that I did not know. Well is there a way to possibly track it down through IIS Log Files? The log files that I provided came directly from the Security Log Files.


----------



## TheOutcaste (Aug 8, 2007)

Is the Windows Firewall enabled?
Is the Firewall Logging enabled?
If so, see if it's logging the connection.
The log is located here:
*%systemroot%\pfirewall.log*
To open it, click *Start | Run*, type *pfirewall.log*, press *Enter*


----------



## Rockn (Jul 29, 2001)

I am surprised you are not getting more intrusion attempts connecting directly to a T1.


----------

