RE: Trace of 139 attack?

From: H C (keydet89@yahoo.com)
Date: 07/26/01 

Message-ID: <20010725224317.54730.qmail@web14609.mail.yahoo.com>
Date: Wed, 25 Jul 2001 15:43:17 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: RE: Trace of 139 attack?
To: Todd Schubert <tschubert@jorycapital.com>, "'stephen.pinto@paladion.net'" <stephen.pinto@paladion.net>, Patrik Birgersson <pbirgersson@telia.com>

Todd,

You're correct, but to support your point, it might
help a bit if you pointed out 'how' this can be done.
For example, passprop.exe allows the Administrator
account to be locked out.

K

--- Todd Schubert <tschubert@jorycapital.com> wrote:
> This is not true. The Administrator account can be
> locked out if too many
> incorrect passwords are entered for it.
>
>
**********************************************************************
> Todd Schubert
> Information Technology Specialist
> Jory Capital Inc.
> phone: 204.925.5215
> fax: 204.942.0047
> email: tschubert@jorycapital.com
>
**********************************************************************
>
>
> -----Original Message-----
> From: Stephen Pinto
> [mailto:stephen.pinto@paladion.net]
> Sent: Monday, July 23, 2001 5:07 PM
> To: Patrik Birgersson
> Cc: FOCUS-MS
> Subject: RE: Trace of 139 attack?
>
>
> To add to Patrick
> 1) administrator account cannot be locked
> 2) Enable Auditing in your policies
> 3) Use some software(scheduler) to export your logs
> to some other machine or
> tape after a particular period of time.so that even
> if the hacker plans of
> deleting the logs he cannot do it. Best practice is
> to use a Dot Matrix
> printer to print the logs which is a bit expensive.
> Usually if a attacker is doing a brute force on
> ur Server ur logs will
> get full. best solution is to use an IDS (snort
> which is free)
> Try Firewall like checkpoint which has some
> authentication mechanism.
> Better go to www.sans.org you will get lots of
> info.
>
> Regards
> Stephen Pinto
> Security Consultant
> Paladion Networks,
> E-217, Tower-3, International InfoTech Park,
> Vashi, Navi Mumbai,400703
> Ph: +91 22 7812446 / 7812450/ 7892890
> FAX: +91 22 7812140
>
>
>
>
> -----Original Message-----
> From: Patrik Birgersson
> [mailto:pbirgersson@telia.com]
> Sent: Wednesday, July 25, 2001 12:34 AM
> To: Eagle; focus-ms@securityfocus.com
> Subject: SV: Trace of 139 attack?
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You would like to use the Event Log.
> There's an HOWTO at:
>
http://support.microsoft.com/support/kb/articles/Q300/5/49.ASP
> (URL might be wrapped).
>
> If this box of yours is a web server to the world,
> you should _not_
> use it as file server with NetBIOS shares 'n stuff.
> Use another box
> on a private network for that
> If your shares must be accessed from outside your
> office (like from
> another office or employees on the road) you should
> use some VPN
> solution that tunnels your NetBIOS traffic.
> NetBIOS is inheritly insecure and shall _not_ be
> allowed from
> untrusted networks (you know - like the Internet).
>
> If the server you're talking about is an Intranet
> server, then you
> might have a harder time disabling NetBIOS,
> especially if you got
> *old* clients (like Win95/98/ME/NTW) that doesn't
> utilize Kerberos
> for authentication.
>
> However, regardless of the server is "inside" or
> "outside" and wether
> you restricted NetBIOS or net, your Security Log
> would fill up
> quickly if someone's bruteforcing an account. You
> should configure
> your machine so that it'll shut down if the security
> log fills up
> (this can be "dangerous" - you must of course
> maintain your logs
> carefully, otherwise your computer will shutdown
> "out of the blue" on
> day). You should also apply timed account lockouts
> if more than 5 (3
> attempts with manual unlock if you're strict) failed
> login attempts
> has been made.
>
>
>
> Patrik Birgersson
>
> # Security is not a product - it is a process #
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0
>
>
iQA/AwUBO13GkB+A7LF3JdzkEQKcWgCg6x++IGX8tlRbjQOxyYL0n/e2q7YAoJ3V
> qpTAJ7lBSFICAoHKct3C+Axm
> =qvIn
> -----END PGP SIGNATURE-----
>
>
>
> This e-mail and any attachments may contain
> confidential, privileged or
> proprietary information. If you are not the
> intended recipient, please
> notify the sender immediately by return e-mail,
> delete this e-mail (with any
> attachments) and destroy any copies. Any
> dissemination or use of this
> information by a person other than the intended
> recipient is unauthorized
> and may be illegal.

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Relevant Pages

  • FW: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... I think passprop allows you to lock the admin account via the network not on ... on your IIS server & as got the command prompt. ... > deleting the logs he cannot do it. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... While the Administrator account cannot be disabled, ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Unicode Attack (FOLLOW UP)
    ... The attacking host at 210.201.100.253 is a Windows 2000 Chinese Server, ... Subject: Unicode Attack ... and began to analyze the logs more closely. ... Unicode strings, all happening in less than 10 seconds. ...
    (Incidents)