FW: Trace of 139 attack?
From: owentoby@WellsFargo.COMDate: 07/26/01
- Previous message: Piers Williams: "RE: Hacked NT/2K box"
- Maybe in reply to: Eagle: "Trace of 139 attack?"
- Next in thread: H C: "Re: FW: Trace of 139 attack?"
- Next in thread: Stephen Pinto: "FW: Trace of 139 attack?"
- Reply: H C: "Re: FW: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: owentoby@WellsFargo.COM Message-ID: <BFCC17728801D311A6A90001FA7EA1360A7EE188@xcem-aztem-04.wellsfargo.com> To: keydet89@yahoo.com, tschubert@jorycapital.com, stephen.pinto@paladion.net, pbirgersson@telia.com Subject: FW: Trace of 139 attack? Date: Thu, 26 Jul 2001 09:18:19 -0700
This is actually half-true. Passprop.exe from the NT reskit allows NETWORK
administrator logins to be locked out after 3 attempts, but it will not lock
the admin account on local logins (physical security should prevent this
attack, unless you're running terminal server, in which all logins are
local).
Toby
-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Wednesday, July 25, 2001 3:43 PM
To: Todd Schubert; 'stephen.pinto@paladion.net'; Patrik Birgersson
Cc: FOCUS-MS
Subject: RE: Trace of 139 attack?
Todd,
You're correct, but to support your point, it might
help a bit if you pointed out 'how' this can be done.
For example, passprop.exe allows the Administrator
account to be locked out.
K
--- Todd Schubert <tschubert@jorycapital.com> wrote:
> This is not true. The Administrator account can be
> locked out if too many
> incorrect passwords are entered for it.
>
>
**********************************************************************
> Todd Schubert
> Information Technology Specialist
> Jory Capital Inc.
> phone: 204.925.5215
> fax: 204.942.0047
> email: tschubert@jorycapital.com
>
**********************************************************************
>
>
> -----Original Message-----
> From: Stephen Pinto
> [mailto:stephen.pinto@paladion.net]
> Sent: Monday, July 23, 2001 5:07 PM
> To: Patrik Birgersson
> Cc: FOCUS-MS
> Subject: RE: Trace of 139 attack?
>
>
> To add to Patrick
> 1) administrator account cannot be locked
> 2) Enable Auditing in your policies
> 3) Use some software(scheduler) to export your logs
> to some other machine or
> tape after a particular period of time.so that even
> if the hacker plans of
> deleting the logs he cannot do it. Best practice is
> to use a Dot Matrix
> printer to print the logs which is a bit expensive.
> Usually if a attacker is doing a brute force on
> ur Server ur logs will
> get full. best solution is to use an IDS (snort
> which is free)
> Try Firewall like checkpoint which has some
> authentication mechanism.
> Better go to www.sans.org you will get lots of
> info.
>
> Regards
> Stephen Pinto
> Security Consultant
> Paladion Networks,
> E-217, Tower-3, International InfoTech Park,
> Vashi, Navi Mumbai,400703
> Ph: +91 22 7812446 / 7812450/ 7892890
> FAX: +91 22 7812140
>
>
>
>
> -----Original Message-----
> From: Patrik Birgersson
> [mailto:pbirgersson@telia.com]
> Sent: Wednesday, July 25, 2001 12:34 AM
> To: Eagle; focus-ms@securityfocus.com
> Subject: SV: Trace of 139 attack?
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You would like to use the Event Log.
> There's an HOWTO at:
>
http://support.microsoft.com/support/kb/articles/Q300/5/49.ASP
> (URL might be wrapped).
>
> If this box of yours is a web server to the world,
> you should _not_
> use it as file server with NetBIOS shares 'n stuff.
> Use another box
> on a private network for that
> If your shares must be accessed from outside your
> office (like from
> another office or employees on the road) you should
> use some VPN
> solution that tunnels your NetBIOS traffic.
> NetBIOS is inheritly insecure and shall _not_ be
> allowed from
> untrusted networks (you know - like the Internet).
>
> If the server you're talking about is an Intranet
> server, then you
> might have a harder time disabling NetBIOS,
> especially if you got
> *old* clients (like Win95/98/ME/NTW) that doesn't
> utilize Kerberos
> for authentication.
>
> However, regardless of the server is "inside" or
> "outside" and wether
> you restricted NetBIOS or net, your Security Log
> would fill up
> quickly if someone's bruteforcing an account. You
> should configure
> your machine so that it'll shut down if the security
> log fills up
> (this can be "dangerous" - you must of course
> maintain your logs
> carefully, otherwise your computer will shutdown
> "out of the blue" on
> day). You should also apply timed account lockouts
> if more than 5 (3
> attempts with manual unlock if you're strict) failed
> login attempts
> has been made.
>
>
>
> Patrik Birgersson
>
> # Security is not a product - it is a process #
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0
>
>
iQA/AwUBO13GkB+A7LF3JdzkEQKcWgCg6x++IGX8tlRbjQOxyYL0n/e2q7YAoJ3V
> qpTAJ7lBSFICAoHKct3C+Axm
> =qvIn
> -----END PGP SIGNATURE-----
>
>
>
> This e-mail and any attachments may contain
> confidential, privileged or
> proprietary information. If you are not the
> intended recipient, please
> notify the sender immediately by return e-mail,
> delete this e-mail (with any
> attachments) and destroy any copies. Any
> dissemination or use of this
> information by a person other than the intended
> recipient is unauthorized
> and may be illegal.
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
- Previous message: Piers Williams: "RE: Hacked NT/2K box"
- Maybe in reply to: Eagle: "Trace of 139 attack?"
- Next in thread: H C: "Re: FW: Trace of 139 attack?"
- Next in thread: Stephen Pinto: "FW: Trace of 139 attack?"
- Reply: H C: "Re: FW: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
