Re: FW: Trace of 139 attack?

From: H C (keydet89@yahoo.com)
Date: 07/26/01


Message-ID: <20010726200002.63230.qmail@web14608.mail.yahoo.com>
Date: Thu, 26 Jul 2001 13:00:02 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: Re: FW: Trace of 139 attack?
To: owentoby@WellsFargo.COM, tschubert@jorycapital.com, stephen.pinto@paladion.net, pbirgersson@telia.com

You are correct, sir.

The MS documentation says:

"Method #2: PASSPROP.EXE. This file, on the NT
Resource kit in \I386\NETADMIN, enforces a stronger
password policy. Run PASSPROP.EXE from the command
line. You have four available switches:

/simple—Restores simple passwords (NT default)

/complex—Forces passwords to have a mixture of upper
and lower-case, symbols or numbers.

/adminlockout—Allows the Administrator account to be
locked out except for interactive sessions at a Domain
Controller."

So then the question is...will it allow interactive
login lockouts for standalone servers and
workstations?

--- owentoby@WellsFargo.COM wrote:
>
>
> This is actually half-true. Passprop.exe from the
> NT reskit allows NETWORK
> administrator logins to be locked out after 3
> attempts, but it will not lock
> the admin account on local logins (physical security
> should prevent this
> attack, unless you're running terminal server, in
> which all logins are
> local).
>
> Toby
>
> -----Original Message-----
> From: H C [mailto:keydet89@yahoo.com]
> Sent: Wednesday, July 25, 2001 3:43 PM
> To: Todd Schubert; 'stephen.pinto@paladion.net';
> Patrik Birgersson
> Cc: FOCUS-MS
> Subject: RE: Trace of 139 attack?
>
>
> Todd,
>
> You're correct, but to support your point, it might
> help a bit if you pointed out 'how' this can be
> done.
> For example, passprop.exe allows the Administrator
> account to be locked out.
>
> K
>
> --- Todd Schubert <tschubert@jorycapital.com> wrote:
> > This is not true. The Administrator account can
> be
> > locked out if too many
> > incorrect passwords are entered for it.
> >
> >
>
**********************************************************************
> > Todd Schubert
> > Information Technology Specialist
> > Jory Capital Inc.
> > phone: 204.925.5215
> > fax: 204.942.0047
> > email: tschubert@jorycapital.com
> >
>
**********************************************************************
> >
> >
> > -----Original Message-----
> > From: Stephen Pinto
> > [mailto:stephen.pinto@paladion.net]
> > Sent: Monday, July 23, 2001 5:07 PM
> > To: Patrik Birgersson
> > Cc: FOCUS-MS
> > Subject: RE: Trace of 139 attack?
> >
> >
> > To add to Patrick
> > 1) administrator account cannot be locked
> > 2) Enable Auditing in your policies
> > 3) Use some software(scheduler) to export your
> logs
> > to some other machine or
> > tape after a particular period of time.so that
> even
> > if the hacker plans of
> > deleting the logs he cannot do it. Best practice
> is
> > to use a Dot Matrix
> > printer to print the logs which is a bit
> expensive.
> > Usually if a attacker is doing a brute force
> on
> > ur Server ur logs will
> > get full. best solution is to use an IDS (snort
> > which is free)
> > Try Firewall like checkpoint which has some
> > authentication mechanism.
> > Better go to www.sans.org you will get lots of
> > info.
> >
> > Regards
> > Stephen Pinto
> > Security Consultant
> > Paladion Networks,
> > E-217, Tower-3, International InfoTech Park,
> > Vashi, Navi Mumbai,400703
> > Ph: +91 22 7812446 / 7812450/ 7892890
> > FAX: +91 22 7812140
> >
> >
> >
> >
> > -----Original Message-----
> > From: Patrik Birgersson
> > [mailto:pbirgersson@telia.com]
> > Sent: Wednesday, July 25, 2001 12:34 AM
> > To: Eagle; focus-ms@securityfocus.com
> > Subject: SV: Trace of 139 attack?
> >
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You would like to use the Event Log.
> > There's an HOWTO at:
> >
>
http://support.microsoft.com/support/kb/articles/Q300/5/49.ASP
> > (URL might be wrapped).
> >
> > If this box of yours is a web server to the world,
> > you should _not_
> > use it as file server with NetBIOS shares 'n
> stuff.
> > Use another box
> > on a private network for that
> > If your shares must be accessed from outside your
> > office (like from
> > another office or employees on the road) you
> should
> > use some VPN
> > solution that tunnels your NetBIOS traffic.
> > NetBIOS is inheritly insecure and shall _not_ be
> > allowed from
> > untrusted networks (you know - like the Internet).
> >
> > If the server you're talking about is an Intranet
> > server, then you
> > might have a harder time disabling NetBIOS,
> > especially if you got
> > *old* clients (like Win95/98/ME/NTW) that doesn't
> > utilize Kerberos
> > for authentication.
> >
> > However, regardless of the server is "inside" or
> > "outside" and wether
> > you restricted NetBIOS or net, your Security Log
> > would fill up
> > quickly if someone's bruteforcing an account. You
> > should configure
> > your machine so that it'll shut down if the
> security
> > log fills up
> > (this can be "dangerous" - you must of course
> > maintain your logs
> > carefully, otherwise your computer will shutdown
> > "out of the blue" on
> > day). You should also apply timed account lockouts
> > if more than 5 (3
> > attempts with manual unlock if you're strict)
> failed
> > login attempts
> > has been made.
> >
> >
> >
> > Patrik Birgersson
> >
> > # Security is not a product - it is a process #
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.0
> >
> >
>
iQA/AwUBO13GkB+A7LF3JdzkEQKcWgCg6x++IGX8tlRbjQOxyYL0n/e2q7YAoJ3V
> > qpTAJ7lBSFICAoHKct3C+Axm
> > =qvIn
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > This e-mail and any attachments may contain
> > confidential, privileged or
> > proprietary information. If you are not the
> > intended recipient, please
> > notify the sender immediately by return e-mail,
> > delete this e-mail (with any
> > attachments) and destroy any copies. Any
> > dissemination or use of this
> > information by a person other than the intended
> > recipient is unauthorized
> > and may be illegal.
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute
> with Yahoo! Messenger
> http://phonecard.yahoo.com/

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/