Determine windows server attack? Should I monitor the server and block IPs all the day?

security windows-server-2008 windows-event-log

While Viewing the windows server 2008 event log, I always find many security events 4625/logon as follows:

**An account failed to log on.**

Subject:
    Security ID:        SYSTEM
    Account Name:       Sever-Name
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         10

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       admin (or administrator or user or any)
    Account Domain:     Sever-Name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1b18
    Caller Process Name:    C:\Windows\System32\winlogon.exe

Network Information:
    Workstation Name:   Sever-Name
    Source Network Address: Some-Remote-IP
    Source Port:        Port#No (many ports in a row)

Detailed Authentication Information:
    Logon Process:      User32 
    Authentication Package: Negotiate

The above tries comes from single IP using all possible usernames and ports.

My Questions are:

  1. Are these regular attacks?
  2. How worried should I be? Should I monitor and block every single IP or only when there are huge attack?
  3. Is blocking IP through windows firewall by choosing to block "All Programs" means that this IP will not be able to even use the web and email service?
  4. If the answer to #3 is yes, is there a way to only block the Machine / RDP Access? Is it enough?

Solution 1:

This is what you need to do:

  1. Set up a VPN for secure remote access to your server.

  2. Place the server behind a firewall (hardware or software) and don't allow remote logons from anywhere. You must connect to the VPN if you want to connect remotely.

  3. Have a sandwich and enjoy how much better off you are now that you've done these basic security precautions.

After that is done, then you need to get a book on Windows administration (or administration in general) and read about firewall rules. Then configure yours appropriately. Only you know who needs to access what services from where. Take some time to look at all services running, decide which ones need to be publicly available (like web) and which ones don't (like RDP) and configure your firewall accordingly.

Related

Public IP Routing over Private GRE tunnel
SQL Server slowly hogging RAM, where do i start to optimise? [duplicate]
If $f$ is an infinitely differentiable function then does this hold?
Express moments in terms of exponential series
Derive the labour demand function.
If $A=k[x_1,\dots,x_n]/I$ is a finitely generated $k$-algebra with $A\cong k^m$ as modules, what can we say about $I$?
Showing that the distribution of record times $(\tau_k)_{k\geq 1}$ doesn't depend on the distribution, $F$, of the records $X_i$
integration by substitution from two variables to one
Prove that there exists a canonical isomorphism of A-algebras [closed]
Subgradient of the $\ell_0$ "norm"
What are the conditions for $\arctan x+\arctan y+\arctan z=\arctan\frac{x+y+z-xyz}{1-xy-yz-zx}$ to be true?
Closed form solution of $\displaystyle\arg\min_{\alpha \in \Bbb R} \|X - \alpha Y\|_{\text F}^2$