Endpoint Protection

 View Only

  • 1.  Under attack

    Posted Sep 06, 2013 09:06 AM

    Good morning everyone,

    Let me first say that we have a small business, and I am assuming the role of IT manager, and I am learning as I go. Not ideal, but it's what I have.

    I was looking over the event logs on the server 2 days ago and noticed I was getting logins from pakistan, russia, turkey, malaysia, all over. So I downloaded Symantec Endpoint Protection SBE 2013 and have since deployed it.

    I'm noticing in the event log the same IP addresses are still logging in. I searched for information on RDP exploits, saw a youtube video on one, checked my system settings and discovered that my solutions provider didn't set up RDP with NLA. So I require NLA now. Since I did that, I have not seen any new logins, although it was only 45 minutes ago (that being said, I was getting logins every 10 seconds.) Update: as of 1 minute ago, I'm seeing that Listener RDP-TCP received a connection, but usually that is followed up by another log entry saying User Authentication Succeeded. So maybe small victory?

    I went in to my D-Link router and completely blocked port 3389 for my server's ip address. D-Link doesn't provide great support on best practices for port blocking, so that's the only solution I could find. I'm also blocking the offending ip addresses. As a side note, anybody have a recommendation on a hardware firewall?

    So what do you think about these steps I've taken?

    The only problem I've seen so far is on my server when I try to launch Active Directory, it tells me the server is not operation. MS technet says there is a problem with blocking port 389, and I'm not sure if the product I've installed on the server is to blame - I installed the endpoint protection edition for desktops, not servers, because I wanted the network threat protection.



  • 2.  RE: Under attack

    Posted Sep 06, 2013 09:30 AM

    To be fair, your Internet-link firewall should be blocking all traffic apart from what you know to be specifically required.  I'm afraid it would be difficult to recommend an appropriate FW without knowing more about your company, (as some can be quite expensive) surprise

    As far as security best practices for SEP go, you may want to review the below article:
    http://www.symantec.com/docs/TECH166816



  • 3.  RE: Under attack

    Posted Sep 06, 2013 09:32 AM

    By installing SEP, you took a good first step there. Just make sure you installed all the components, AV, PTP, NTP.

    I would also block the IPs from where the logins were coming.

    You should also run full scans on your machines to see if anything is detected.

    Do you have a good idea of the traffic coming in and out of your network? I would block everything excrpt what is necessary.

    Do you have any traffic monitoring software in place?



  • 4.  RE: Under attack

    Posted Sep 06, 2013 10:40 AM

    I have no traffic monitoring software in place, no.

    Full scans have returned nothing; I'm hoping (maybe naively) that the people who did this were just getting a list of exploitable servers, given that the same ip and same "user" would login every 10 seconds over a period of time.

    Do you know if SEP could be the cause of my Active Domain issues? I'm thinking about uninstalling the desktop edition and moving to the server edition to see if it clears it up.



  • 5.  RE: Under attack

    Posted Sep 06, 2013 10:49 AM

    That would depend on where you're seeing the issue.  I'm assuming you're trying to launch "AD Users & Computers" right?

    Is this locally on the server itself, and is this your only domain controller?



  • 6.  RE: Under attack

    Posted Sep 06, 2013 10:59 AM

    I've disabled NTP and rebooted the server, and I have regained access to AD Users and Computers.

    I'm still looking good when I go into Event Viewer>TerminalServices-RemoteConnectionManager. Whereas I was getting all sorts of random logins, now I only see a long string of Listener RDP-TCP received a connection that isn't followed up by a successful login.

    I feel better, thank you all for the help thus far. Anything else I should watch out for? Any way to tell what (if anything) these yahoos did when they logged in to my server?



  • 7.  RE: Under attack

    Broadcom Employee
    Posted Sep 06, 2013 11:02 AM

    Hi,

    Thank you for posting in Symantec community.

    As you mentioned you downloaded Symantec Endpoint Protection SBE 2013 and have since deployed it.

    It's a license copy or trialware?

    Update Windows Operating System with the latest Microsoft patches and Service packs.

    Make sure SEP client is updated with the latest definitions & all the features are intalled.(AV/AS, PTP & NTP)

    I would suggest to use Cisco router (Hardware router). You can get basic router and it should not be costly.



  • 8.  RE: Under attack

    Posted Sep 06, 2013 11:08 AM

    To be honest, given the surprisingly open nature of your FW, I'd actually recommend a full security review if you can arrange one.

    I'm afraid unless you already have auditing enabled (whether that be for AD objects, or files/folders, etc), there's little you can do to find out what's been done (if anything).



  • 9.  RE: Under attack

    Posted Sep 06, 2013 11:54 AM

    I installed the trialware, but will now get the licenses. Thank you for the advice on the Cisco router.

    SMLatCST- regarding security review, I will look into it. I'm rather surprised at the lack of security myself. Disappointed.



  • 10.  RE: Under attack

    Posted Sep 06, 2013 05:18 PM

    Once you have your endpoints secured, you should work on your perimeter.

    I would start by shutting down all ports/services except what is needed.