Late last year we had a situation where one of our clients based in Norwich was having repeated problems trying to control a computer in their Midlands office. He had been able to do this without a problem for some time. The day before this problem started, I replaced the computer in Norwich, so of course the client thinks that this new computer is probably causing the new problem. Concerned that we caused the problem, we investigated.
On our first attempt, we managed to connect to the remote computer without a problem, but find the following message in the Windows Event Viewer:
"The terminal server received large number of incomplete connections. The system may be under attack."
This is worrying and requires investigation, we checked the router logs and spot that in the last 20 hours there have been 129 connection attempts to the remote computer, from two different systems. The connection attempts from Norwich can be discounted as genuine, but 87 of the connection attempts are from an unknown IP address. Using IP lookup tools we can tell that the ‘suspicious’ connection attempts originate from a Spanish Internet Service Provider.
I immediately reconfigure the router so that connection attempts are allowed only from the Norwich system and all others are blocked and logged. I call the client who agrees with me that there is no valid reason for these connection attempts. I email the abuse team at the Spanish ISP, giving them the router logs and requesting they take action against their user.
This very specific problem is resolved but others lurk, unknown.
Here are the lessons learned tonight for this client:
This was a genuine coincidence. The new computer did not result in this new problem.
Event viewer is a helpful troubleshooting tool and it should be checked regularly.
Router logs can flag up potential security holes, these should be checked regularly.
Router Firewalls should be configured to block everything and to allow specific inbound connections from specific external IP addresses only.
Microsoft Remote Desktop is a less than ideal remote control tool. Other solutions provide much better levels of security.
A software or hardware VPN between sites would have stopped this issue from occurring.
The Windows XP Firewall is poor. All desktops should have an up to date, paid-for firewall solution such as AVG Internet Security which would be a second line of defence in this situation.
Passwords should be strong, secret, and regularly changed.
THE BIG LESSON: Take IT Security Seriously
If you want to take away just one thing from this little adventure in security, it is that there are clear and present dangers to your IT systems and that security should be taken very seriously indeed. One good way to address this is a regular investment in an IT Management Plan which includes a certain level of pro-action on our part. Security is just one of the things we like to look at when providing pro-active IT Management.
If you want our honest opinion on security at your business or wish to discuss a more pro-active approach to managing your IT, please call me now on 01603 7818902.