Recently I’ve had periods where my computer or Internet connection seems to bog down. I started looking to see what was happening and found I had a security problem. So, if you use Remote Desktop or have your Windows Login Service exposed to the Internet for other reasons, you should probably read this.
I’ve heard the news and seen the articles on the Cyber War. I have my firewall and anti-virus, anti-malware, anti-etc… So, I feel pretty safe. But, I do use Windows Firewall in Vista. It is a decent enough firewall even if many do knock it.
But, I kept having periods where my computer got sluggish. Also, recently my Internet connection speed would shift into s l o o o o w motion. So, I started looking to see what was happening.
System Explorer is a free program that gives you good insight into what is happening in the computer. Using it I found several copies of rundll32.exe opening and closing. I also saw that svchost.exe was the task rundll32.exe was running. That is an Internet app… well… network app.
I also saw that svchost.exe was calling LogonUI.exe and winLogon.exe. These are the programs that are used by Windows to verify your logon credentials before granting access. So, someone was trying to logon to my computer.
Looking in System Explorer’s History I saw that the IP address 126.96.36.199 (click to see the address owner) was the source of repeated login attempts. Dang!
A quick look up shows the IP address is assigned to ‘YIKES’ …an ISP in Iran: Neda Rayaneh. A little more digging through the logs and I see what appears to be a brute force attack to login. So, it isn’t a sophisticated Iranian government attack on my computer… if it had been I would probably have already been screwed.
I need to use Remote Desktop when I am away from home. That exposes my machine’s login service to the world. I have a good name and password along with having all other accounts denied remote access. But, I can’t close off the access to the login services and still get in myself.
So, I need to block a range of IP addresses to keep this pest out. A little Google research reveals I need to block 188.8.131.52 to 184.108.40.206. (Reference) Now to get that done.
Windows Firewall Advanced
If you use Windows’ default panels to access the Windows Firewall settings you can’t do much. Turning it on and off is about it. But, there is an ‘Advanced’ side to the firewall since the release of Vista. You just have to know how to get to it.
First try clicking START and typing: Windows Firewall. With any luck you will see an entry come up for: Windows Firewall with Advanced Security on Local Computer. If that comes up, open it.
You might also find it in the Control Panel in Administrative Tools.
If you do not find it, you can add it to your system. It is there, you just have to make it accessible. To do so follow these steps:
- Open START and click RUN…
- Type in mmc.exe and press Enter.
- In the Console panel’s menu click: File -> Add/Remove Snap-in…
- Look through the list for: Windows Firewall with Advanced Security on Local Computer.
- Click ADD and OK.
You now have access to Windows Firewall advanced settings. It has everything most firewalls have. You can save this setup so it will always be easily available. (File -> Save As…)
If for some reason the Snap-in is not in the list, you can download it.
There is a gotcha when creating rules to block IP addresses. When you go to block an IP address, it is NOT possible to set an IP Address to block while creating the rule. You must create the rule and then EDIT the Properties to set the IP Address. Odd.
I’ve given you the parts of the process that are hard to find via Google. If you want to learn about the advanced tools see: Windows Firewall with Advanced Security Getting Started Guide. It is written in Microsoft-ese, which I find mostly unintelligible. But, it is the official guide.
I think a bit more readable and understandable is: Study Guide – Configure Windows Firewall. Scroll about half way down to: Introduction to Windows Firewall with Advanced Security.
My computer seems to be running more smoothly.