Resolved Data Centers and Hardware Firewalls

My company has seven stand alone servers in a DC... We have had some security issue recently. Some were hacked into...new window user profiles were added and apps like Mass Email Sender were installed.

We have since changed to much stronger 16 character passwords and turned the Windows firewall back on.

One of my guesses is they hacked into one and found Filezilla which stores all the info a person needs to access other machines... We have since deleted the site manager entries and are using the "clear" option if and when we connect to another machine.

The machines basically do nothing but host SQL databases for our clients who use our accounting software. 4 out of the 7 are terminal servers.

I'm trying to wrap my head around wondering if a hardware firewall would help. The cost would be about $100 per machine per month.

Thanks in advance for sharing your thoughts.

 

In this case - one firewall will handle all machines.

 

A firewall may or may not do any good. The KEY is "How was access gained in the first place? "

Common vulnerabilities are:
1. malware on a client pc
2. client pc with Remote Desktop enabled and an Administrator or Owner account with no password; RD is ON by default.
3. brute force guessing usernames & passwords
4. social engineering (phishing, bogus company messages, coffee shop chatter, cell phone camera recording login(s), etc.)
5. if MS SQL, known security exploits could be utilized to gain network access to clients and other computers.

Find out how they gained access and then implement security measures.

 

THANKS TONY....

Three of the machines - humans don't actually access it. The clients have our software installed locally and point the app to the db on the servers.

Three of the TS machines - the clients don't have access to the desktops. The RDP connection auto launches our accounting software. The forth TS machines the clients do have limited access to the machine.

I think your #3 brute force is the probably cause. You can sit there and watch the TS manager whirl and twirl from failed attempts to log in...

BUT, there are about a dozen or so co-workers that have access to the machines. AND, if they are stupid like I am where I allow my pc to store the RDP connection info that could cause an issue...

I guess I will start a frequent change the password routine...

 

Good info here:
http://serverfault.com/questions/230033/how-to-stop-brute-force-attacks-on-terminal-server-win2008r2

Simplest, easiest solution is to use a non-standard port for RDP. The default port is TCP port 3389 and UDP port 3389. Configure it to use some other port that is NOT in use on your networked computers. To see the ports used by any computer on the network use the command netstat -a to get a list of used ports.

Then configure RDP to use some other pair of TCP & UDP ports that criminals will not be interested in, such as port 6112 (Club Penguin Disney online game for kids)!

Any port can be used so long as it's not in use on your network already, and if not in use, do not choose a common port.
examples: Common
port 80 (www)
port 8080 (proxies)
port 110 (pop) etc. etc.

 

Thank you Tony...

You had chimed in on another thread I started regarding changing the RDP port.

I'm going to bring it up again with my IT guys.