Re: Trace of 139 attack?

From: Thor@HammerofGod.com
Date: 07/26/01 

From: Thor@HammerofGod.com
To: FOCUS-MS@securityfocus.com
Message-ID: <020401c11570$02a60640$af05a8c0@anchorsign.com>
Subject: Re: Trace of 139 attack?
Date: Wed, 25 Jul 2001 18:11:55 -0700

Just to be clear for all of the faithful readers out there, passprop.exe can
be used to lockout the administrator account over network connections, but
not for interactive logons.

AD

----- Original Message -----
From: "H C" <keydet89@yahoo.com>
To: "Todd Schubert" <tschubert@jorycapital.com>;
<stephen.pinto@paladion.net>; "Patrik Birgersson" <pbirgersson@telia.com>
Cc: "FOCUS-MS" <FOCUS-MS@securityfocus.com>
Sent: Wednesday, July 25, 2001 3:43 PM
Subject: RE: Trace of 139 attack?

> Todd,
>
> You're correct, but to support your point, it might
> help a bit if you pointed out 'how' this can be done.
> For example, passprop.exe allows the Administrator
> account to be locked out.
>
> K
>
> --- Todd Schubert <tschubert@jorycapital.com> wrote:
> > This is not true. The Administrator account can be
> > locked out if too many
> > incorrect passwords are entered for it.
> >
> >
> **********************************************************************
> > Todd Schubert
> > Information Technology Specialist
> > Jory Capital Inc.
> > phone: 204.925.5215
> > fax: 204.942.0047
> > email: tschubert@jorycapital.com
> >
> **********************************************************************
> >
> >
> > -----Original Message-----
> > From: Stephen Pinto
> > [mailto:stephen.pinto@paladion.net]
> > Sent: Monday, July 23, 2001 5:07 PM
> > To: Patrik Birgersson
> > Cc: FOCUS-MS
> > Subject: RE: Trace of 139 attack?
> >
> >
> > To add to Patrick
> > 1) administrator account cannot be locked
> > 2) Enable Auditing in your policies
> > 3) Use some software(scheduler) to export your logs
> > to some other machine or
> > tape after a particular period of time.so that even
> > if the hacker plans of
> > deleting the logs he cannot do it. Best practice is
> > to use a Dot Matrix
> > printer to print the logs which is a bit expensive.
> > Usually if a attacker is doing a brute force on
> > ur Server ur logs will
> > get full. best solution is to use an IDS (snort
> > which is free)
> > Try Firewall like checkpoint which has some
> > authentication mechanism.
> > Better go to www.sans.org you will get lots of
> > info.
> >
> > Regards
> > Stephen Pinto
> > Security Consultant
> > Paladion Networks,
> > E-217, Tower-3, International InfoTech Park,
> > Vashi, Navi Mumbai,400703
> > Ph: +91 22 7812446 / 7812450/ 7892890
> > FAX: +91 22 7812140
> >
> >
> >
> >
> > -----Original Message-----
> > From: Patrik Birgersson
> > [mailto:pbirgersson@telia.com]
> > Sent: Wednesday, July 25, 2001 12:34 AM
> > To: Eagle; focus-ms@securityfocus.com
> > Subject: SV: Trace of 139 attack?
> >
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You would like to use the Event Log.
> > There's an HOWTO at:
> >
> http://support.microsoft.com/support/kb/articles/Q300/5/49.ASP
> > (URL might be wrapped).
> >
> > If this box of yours is a web server to the world,
> > you should _not_
> > use it as file server with NetBIOS shares 'n stuff.
> > Use another box
> > on a private network for that
> > If your shares must be accessed from outside your
> > office (like from
> > another office or employees on the road) you should
> > use some VPN
> > solution that tunnels your NetBIOS traffic.
> > NetBIOS is inheritly insecure and shall _not_ be
> > allowed from
> > untrusted networks (you know - like the Internet).
> >
> > If the server you're talking about is an Intranet
> > server, then you
> > might have a harder time disabling NetBIOS,
> > especially if you got
> > *old* clients (like Win95/98/ME/NTW) that doesn't
> > utilize Kerberos
> > for authentication.
> >
> > However, regardless of the server is "inside" or
> > "outside" and wether
> > you restricted NetBIOS or net, your Security Log
> > would fill up
> > quickly if someone's bruteforcing an account. You
> > should configure
> > your machine so that it'll shut down if the security
> > log fills up
> > (this can be "dangerous" - you must of course
> > maintain your logs
> > carefully, otherwise your computer will shutdown
> > "out of the blue" on
> > day). You should also apply timed account lockouts
> > if more than 5 (3
> > attempts with manual unlock if you're strict) failed
> > login attempts
> > has been made.
> >
> >
> >
> > Patrik Birgersson
> >
> > # Security is not a product - it is a process #
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.0
> >
> >
> iQA/AwUBO13GkB+A7LF3JdzkEQKcWgCg6x++IGX8tlRbjQOxyYL0n/e2q7YAoJ3V
> > qpTAJ7lBSFICAoHKct3C+Axm
> > =qvIn
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > This e-mail and any attachments may contain
> > confidential, privileged or
> > proprietary information. If you are not the
> > intended recipient, please
> > notify the sender immediately by return e-mail,
> > delete this e-mail (with any
> > attachments) and destroy any copies. Any
> > dissemination or use of this
> > information by a person other than the intended
> > recipient is unauthorized
> > and may be illegal.
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/

Relevant Pages

  • Re: Keep getting my server wiped out.
    ... Some one has or is getting access to Administrator account. ... The first time was NT server 4.0 SP4, ... How can I determine what or who is doing this attack? ...
    (alt.computer.security)
  • FW: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... While the Administrator account cannot be disabled, ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... the default administrator account can not be locked out. ... Use some softwareto export your logs to some other ...
    (Focus-Microsoft)