RE: FW: Trace of 139 attack?

From: Todd Schubert (tschubert@jorycapital.com)
Date: 07/26/01


Message-ID: <B98EFAC322E4D311AF0200E018C1F12011DC76@NT1>
From: Todd Schubert <tschubert@jorycapital.com>
To: FOCUS-MS@securityfocus.com
Subject: RE: FW: Trace of 139 attack?
Date: Thu, 26 Jul 2001 12:19:00 -0500

If you go to policies->account and set the account lockout to lock out
accounts after x incorrect login attempts, the administrator account will be
locked out for local logins from the keyboard as well as remote ones. I
just verified this again on my server. Please try it on your server before
responding that I am wrong. I am using an NT 4.0 sp6 server. I first
discovered this when I changed the administrator password but forgot to
change one of the service's passwords. The administrator account was locked
out by the services attempting to log in. The account policies affect all
acounts.

**********************************************************************
Todd Schubert
Information Technology Specialist
Jory Capital Inc.
phone: 204.925.5215
fax: 204.942.0047
email: tschubert@jorycapital.com
**********************************************************************

-----Original Message-----
From: khayman [mailto:khayman@carolina.rr.com]
Sent: Thursday, July 26, 2001 11:58 AM
To: tschubert@jorycapital.com; FOCUS-MS@securityfocus.com
Subject: Re: FW: Trace of 139 attack?

This is not correct. By _default_ the administrator account cannot be
locked out. Using passprop util with the /adminlockout switch will
change that. The account will follow the account lockout policy for
_network_ logins. Meaning it still won't lockout for local logins - at
the keyboard or thru pcAnywhere, etc. Renaming the account has no
effect on these rules. Nor does it have any effect on the SID of
admin. The RID of the admin account is always 500. So your dummy admin
account is the lunch. Your real admin account is dessert. If netbios
connectivity exists, it's toast without setting lockout and auditing
your logs. Restrictanonymous has no effect on tools such as sid2user
and user2sid.

Advice: set lockout on your admin account. (as people have mentioned
in this thread)

k.

>
> -----Original Message-----
> From: nobody [mailto:n0bodies@home.com]
> Sent: Thursday, July 26, 2001 9:46 AM
> To: 'Todd Schubert'
> Cc: 'FOCUS-MS'
> Subject: RE: Trace of 139 attack?
>
> Actually, the default administrator account can not be locked out.
> This
> is why it's such a vulnerability. On all the machines I administer I
> rename the default administrator account and create a dummy one.
> While
> an experienced (c/h)acker will see that they have been hammering a
> dummy
> account after some time and is consequently locked out. This works as
>
> notification and gives me and my shop some extra time to react.
>
> Brian R. Ogram
> CCNA
> ++++++++++++++++++++++++++++++++
> + "The best defense is a good offense"
> + - Mel the cook on "Alice"
> ++++++++++++++++++++++++++++++++
>
> -----Original Message-----
> From: Todd Schubert [mailto:tschubert@jorycapital.com]
> Sent: Wednesday, July 25, 2001 5:17 PM
> To: 'stephen.pinto@paladion.net'; Patrik Birgersson
> Cc: FOCUS-MS
> Subject: RE: Trace of 139 attack?
>
> This is not true. The Administrator account can be locked out if too
> many incorrect passwords are entered for it.
>
> **********************************************************************
>
> Todd Schubert
> Information Technology Specialist
> Jory Capital Inc.
> phone: 204.925.5215
> fax: 204.942.0047
> email: tschubert@jorycapital.com
> **********************************************************************
>
> -----Original Message-----
> From: Stephen Pinto [mailto:stephen.pinto@paladion.net]
> Sent: Monday, July 23, 2001 5:07 PM
> To: Patrik Birgersson
> Cc: FOCUS-MS
> Subject: RE: Trace of 139 attack?
>
> To add to Patrick
> 1) administrator account cannot be locked
> 2) Enable Auditing in your policies
> 3) Use some software(scheduler) to export your logs to some other
> machine or tape after a particular period of time.so that even if the
> hacker plans of deleting the logs he cannot do it. Best practice is to
>
> use a Dot Matrix printer to print the logs which is a bit expensive.
> Usually if a attacker is doing a brute force on ur Server ur logs
> will get full. best solution is to use an IDS (snort which is free)
> Try
> Firewall like checkpoint which has some authentication mechanism.
> Better
> go to www.sans.org you will get lots of info.
>
> Regards
> Stephen Pinto
> Security Consultant
> Paladion Networks,
> E-217, Tower-3, International InfoTech Park,
> Vashi, Navi Mumbai,400703
> Ph: +91 22 7812446 / 7812450/ 7892890
> FAX: +91 22 7812140
>
> -----Original Message-----
> From: Patrik Birgersson [mailto:pbirgersson@telia.com]
> Sent: Wednesday, July 25, 2001 12:34 AM
> To: Eagle; focus-ms@securityfocus.com
> Subject: SV: Trace of 139 attack?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You would like to use the Event Log.
> There's an HOWTO at:
> http://support.microsoft.com/support/kb/articles/Q300/5/49.ASP
> (URL might be wrapped).
>
> If this box of yours is a web server to the world, you should _not_
> use
> it as file server with NetBIOS shares 'n stuff. Use another box on a
> private network for that If your shares must be accessed from outside
> your office (like from another office or employees on the road) you
> should use some VPN solution that tunnels your NetBIOS traffic.
> NetBIOS
> is inheritly insecure and shall _not_ be allowed from untrusted
> networks
> (you know - like the Internet).
>
> If the server you're talking about is an Intranet server, then you
> might
> have a harder time disabling NetBIOS, especially if you got
> *old* clients (like Win95/98/ME/NTW) that doesn't utilize Kerberos for
>
> authentication.
>
> However, regardless of the server is "inside" or "outside" and wether
> you restricted NetBIOS or net, your Security Log would fill up quickly
>
> if someone's bruteforcing an account. You should configure your
> machine
> so that it'll shut down if the security log fills up (this can be
> "dangerous" - you must of course maintain your logs carefully,
> otherwise
> your computer will shutdown "out of the blue" on day). You should also
>
> apply timed account lockouts if more than 5 (3 attempts with manual
> unlock if you're strict) failed login attempts has been made.
>
> Patrik Birgersson
>
> # Security is not a product - it is a process #
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0
>
> iQA/AwUBO13GkB+A7LF3JdzkEQKcWgCg6x++IGX8tlRbjQOxyYL0n/e2q7YAoJ3V
> qpTAJ7lBSFICAoHKct3C+Axm
> =qvIn
> -----END PGP SIGNATURE-----
>
> This e-mail and any attachments may contain confidential, privileged
> or
> proprietary information. If you are not the intended recipient,
> please
> notify the sender immediately by return e-mail, delete this e-mail
> (with
> any
> attachments) and destroy any copies. Any dissemination or use of
> this
> information by a person other than the intended recipient is
> unauthorized and may be illegal.

This e-mail and any attachments may contain confidential, privileged or
proprietary information. If you are not the intended recipient, please
notify the sender immediately by return e-mail, delete this e-mail (with any
attachments) and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is unauthorized
and may be illegal.



Relevant Pages

  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... administrator account -- we should have no problems at least browsing to ... server. ... | authentication dialog box. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Personal Admin Account Locked Out
    ... On the Advanced tab, clear out the stored passwords, or at least any that apply to your domain. ... After that, check all the logs on server and workstation, including the security log, to see if you can find the cause. ... When I go to the SBS under the Administrator account I can select my user ...
    (microsoft.public.windows.server.sbs)
  • Re: Serious Security & Administrative issue!!!!
    ... capability [including file encryption and a boatload of security policies] to be ... The concept of the built in administrator account is ... if that account is only available in safe mode then hackers can not use it ...
    (microsoft.public.security)
  • RE: [VulnWatch] Blank Administrator password in DELL XP Professional install
    ... default out of the box configuration for any Windows XP Pro, ... this can lead to security ... risks if the administrator disables the account. ... Null Password on Administrator account. ...
    (VulnWatch)
  • Re: Update Error Code 800B0100 P.P.S.
    ... Here is the Direct link for that download for Vista x86 systems ... Administrator account that has full admin rights that could address those Windows updates that are not able to install. ... If the happens to be the built-in Administrator account, then enable it and set a password for it and login with the Administrator account. ...
    (microsoft.public.windows.vista.general)