Good morning everyone,
Let me first say that we have a small business, and I am assuming the role of IT manager, and I am learning as I go. Not ideal, but it's what I have.
I was looking over the event logs on the server 2 days ago and noticed I was getting logins from pakistan, russia, turkey, malaysia, all over. So I downloaded Symantec Endpoint Protection SBE 2013 and have since deployed it.
I'm noticing in the event log the same IP addresses are still logging in. I searched for information on RDP exploits, saw a youtube video on one, checked my system settings and discovered that my solutions provider didn't set up RDP with NLA. So I require NLA now. Since I did that, I have not seen any new logins, although it was only 45 minutes ago (that being said, I was getting logins every 10 seconds.) Update: as of 1 minute ago, I'm seeing that Listener RDP-TCP received a connection, but usually that is followed up by another log entry saying User Authentication Succeeded. So maybe small victory?
I went in to my D-Link router and completely blocked port 3389 for my server's ip address. D-Link doesn't provide great support on best practices for port blocking, so that's the only solution I could find. I'm also blocking the offending ip addresses. As a side note, anybody have a recommendation on a hardware firewall?
So what do you think about these steps I've taken?
The only problem I've seen so far is on my server when I try to launch Active Directory, it tells me the server is not operation. MS technet says there is a problem with blocking port 389, and I'm not sure if the product I've installed on the server is to blame - I installed the endpoint protection edition for desktops, not servers, because I wanted the network threat protection.