Monitor any potential attacks

Peter_1985 2,526 Reputation points
2021-02-24T07:40:06.813+00:00

Hi,
How to monitor any potential attacks towards one specific IP reachable from outside? How to defend server against such attacks?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,382 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,178 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,274 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
516 questions
0 comments
Accepted answer
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2021-02-26T02:50:02.803+00:00

    Hi @Peter_1985 ,

    If you want to prevent malware from infecting your windows server 2016, windows Defender AV is malware protection that immediately and actively protects Windows Server 2016 against known malware and can regularly update antimalware definitions through Windows Update.

    For your reference:

    Windows Defender Antivirus for Windows Server

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. G_Fl 1 Reputation point
    2021-02-24T08:27:01.04+00:00

    Hi Jackson,

    there is no monitoring switch "potential attack".
    Every Server has a purpose (Web-, File-, SQL-, etc...).
    You have to know the standard how a server is to be accessed and monitor for everything unusual.
    Unintended behavior could be:

    • port scans
    • excessive login tries with well-known user-names (admin, root, sa)
    • strange http- or sql-queries
    • rudy attacks
    • and many, many more
      All this is still basic monitoring. imho your question is too unspecific to give a better answer.

    Best regards

    GF

    0 comments
  2. Candy Luo 12,656 Reputation points Microsoft Vendor
    2021-02-24T08:40:55.97+00:00

    Hi ,

    As far as I know, there is no build-in tool can monitor any potential attacks. You may use some third-party software to monitor attacks. Then use windows firewall to prevent external attack. Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. It acts as a filter to block non-legitimate incoming traffic before it could enter your organization’s network to cause damage.

    For your reference:

    Best practices for configuring Windows Defender Firewall

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Peter_1985 2,526 Reputation points
    2021-02-25T00:33:13.903+00:00

    Hi,
    Is it to choose "Remote assistant" below?

    How to make "Remote assistant" rule below?

    netsh advfirewall firewall add rule name="Rule L1" dir=in action=block remoteip=193.169.1.1-193.169.255.255

    Within Windows server, can we know which IP ever was attacking the server? Is there any log showing this?

    0 comments
  4. Candy Luo 12,656 Reputation points Microsoft Vendor
    2021-02-25T02:40:25.073+00:00

    Hi @Peter_1985 ,

    Within Windows server, can we know which IP ever was attacking the server? Is there any log showing this?

    There are no built-in tools or logs can monitor which IP is attacking. We can only use network monitor to capture all the traffic that is flowing to and from the selected network adapters on the local computer.

    If you want to monitor your network closely at all time and identifies anomalies in network traffic, third-party software may achieve your goal.

    Is it to choose "Remote assistant" below?

    Why did you mention Remote assistant? If you want to block a suspicious IP address or IP range, just use Windows Firewall to block this connection. Just like the command you post above: 

    netsh advfirewall firewall add rule name="Rule L1" dir=in action=block remoteip=193.169.1.1-193.169.255.255

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments