One area that I do not like to cover in a public forum is security. But, in the last few days we have started noticing a sustained attack on a couple of our publicly facing Windows boxes.
Attack Surface Area
Microsoft – DNS
Using SysInternals \ TCP View, we are are able to see repeated DNS connections.
Microsoft – IIS
Here is what one of our web sites look like post attacks:
Microsoft – Event Viewer
Here is an attack from 188.8.131.52 targeting HTTPS/Port 443
Here is an attack from 184.108.40.206 targeting HTTPS/Port 443
Here is an attack from 220.127.116.11 targeting HTTPS/Port 443
Here is an attack from 18.104.22.168 targeting DNS/Port 53
What to do
- Consider perimeter Firewall
- On individual hosts, make sure that you ‘re running Microsoft Windows Firewall
- On individual hosts, make sure that DNS Services are only running on servers that need it
- On individual hosts, configure Microsoft IIS with Security best practices
- On individual hosts, make sure that you ‘re running a good, reputable AntiVirus
Symantec / ANt-Virus
Buzz99 has a good and freshlg updated blog post @
Norton Antivirus 2014 Product Key Free 6 Months Subscription
Courtesy of same blog post here is the URL to the product:
Even though it warns that product has not / yet to be tested on MS Windows 2012, it installs and works on it.
Posted a follow-up @ Technical: Microsoft – Information Integration Server (IIS) – Version 8 – Hardening\Securing ( https://danieladeniji.wordpress.com/2014/04/14/27740/ ).