Webmasters and website owners uses Local Group Policy Editor in Windows to prevent anonymous login and ban IP of attacker through IPban.

As a part of our Server Management Services, we help our customers to keep their servers secure from attacks.

Let us today discuss the possible steps to prevent anonymous login.

Why do we need to prevent anonymous login and ban IP of attacker in Windows?

In most of the Network, webmasters might want users to anonymously log on and log off for certain machines. This is certainly true of all public Web and FTP servers. But for the rest of the network, allowing anonymous login is a security risk that need to be lock down.

For instance the NT Authority/Anonymous event ID 528 (Logon) Type 3 on your file servers and workstations is supecious. These events indicate that an anonymous user has successfully viewed or connected to a network share.

We can fix this type of vulnerabilities by disabling anonymous login by using Local Group Policy Editor. Let us now look at the steps to perform it on Windows Server 2008 R2. 

How to prevent anonymous login and ban IP of attacker in Windows?

1. On Windows Server 2008 R2 / Windows Server 2012, to open the Local Group Policy Editor, click Start button, type gpedit.msc in the Start Search box, and then press ENTER.
2. Under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions, there are 6 policies under network access to control what information can be accessed anonymously:
   
3. Disable the policies to “Allow anonymous SID/Name translation” and “Let Everyone permissions apply to anonymous users”.
4. Enable the policies for “Do not allow anonymous enumeration of SAM accounts” and “Do not allow anonymous enumeration of SAM accounts and shares”.
5. Clear empty the policies for “Named Pipes that can be accessed anonymously” and “Shares that can be accessed anonymously”.

Apart from disabling anonymous login, installing applications for endpoint protection will help to prevent attempts to attack on the server. 

How to protect servers that use Remote Desktop?

If we use Remote Desktop to connect to the server, we can do a security layer by the steps below:

1. Change the default service port of Remote Desktop and theserver.
2. Use IPBan which is a free tool to track any IP that invokes services on the server. When number of fail events reaches to a predefined threshold, it will block the IP in the Windows Advanced Firewall by using a Blocking rule there.

How to set up IPBan?

IP ban can be downloaded from the link here. .NET Framework 4 is required for IPBan.  The main configurations to set it up and run include:

1. 1. Config Remote Desktop Session Host Configuration to log IP address in event log.
      To run it: click Start button, key Remote Desktop Session Host Configuration in the Start Search box, and then press ENTER. Double click the connection RDP-Tcp to change encryption settings to native RDP encryption. Set the Security Layer to RDP Security Layer and click on OK. After finishing, please reboot your server.
   2. Copy IPBan binary to a folder, e.g. D:\IPBan. Then open and modify IPBan.exe.config file. Modify the Group rules, rule for attempts before banning, ban time rule and log file rotation rule.
   3. Create IPBan service and start it

      #sc create IPBan type= own start= auto binPath= D:\IPBan\ipban.exe DisplayName= IPBan
      #net start IPBan

[Need any further assistance in fixing Windows errors? – We’re available 24*7]

Conclusion

In short, Local Group Policy Editor in Windows allows us to prevent anonymous login and IPBan helps to ban IP of attacker. Today, we saw how our Support Engineers perform this task.