Re: Is it really true that NTFS is secure?

From: George Hester (hesterloli@hotmail.com)
Date: 12/14/02 

From: "George Hester" <hesterloli@hotmail.com>
Date: Fri, 13 Dec 2002 20:13:18 -0500

Update.

The account Group got put back in the Administrator group again. I had audits going and here is the time\status in which this occurred:

Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/13/2002
Time: 5:56:46 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
The logon to account: Administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: HAMID-MSLR91LJD
 failed. The error code was: 3221225578

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/13/2002
Time: 5:56:46 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: Administrator
  Domain: HAMID-MSLR91LJD
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: HAMID-MSLR91LJD

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/13/2002
Time: 5:56:46 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
The logon to account: Administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: HAMID-MSLR91LJD
 failed. The error code was: 3221225578

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/13/2002
Time: 7:41:52 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
The logon to account: Administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: SAVVYEM
 failed. The error code was: 3221225578

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/13/2002
Time: 7:41:52 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: Administrator
  Domain: SAVVYEM
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: SAVVYEM

This last tried to sign on with user name root, admin, test, administrator and then finally gave up. But my Guest User account is still changing to enabled and putting itself in the Administrator Group. That action I am not seeing in the Event Viewer anywhere. What can I do to catch that event? I believe I need the Guest group for IIS as IUSER_MachieName is in there. Please be detailed as I looked in Group Policy and cannot seem to find what is necessary so I can see when that event occurs and what\who is responsible. Thanks. 

-- 
George Hester
__________________________________
"B. Goodman" <no@spam.org> wrote in message news:MPG.1863b75bd793e1759896d2@msnews.microsoft.com...
> In article <ufXDRfmoCHA.2424@TK2MSFTNGP12>, hesterloli@hotmail.com 
> says...
> > Please understand that my machine comes up empty handed on all AV scans =
> > and trojans.  I need to find some way of watching when this Group Policy =
> > change happens.  Like a log.  That tells me the time that it happend or =
> > the responsible party.  It doesn't show in Event Viewer.
> > 
> > You know I ran a server W2K prior to this and never had this issue.  =
> > Started on Prof full time now and I am battling security it seems every =
> > hour.
> > 
> > --=20
> > George Hester
> > __________________________________
> > "George Hester" <hesterloli@hotmail.com> wrote in message =
> > news:OwrkSZmoCHA.2424@TK2MSFTNGP12...
> > Yes you may be able to help me with something.  My Guerst user keeps =
> > getting enabled and  put in the Administrator group.  How?
> > 
> > --=20
> > George Hester
> > __________________________________
> > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message =
> > news:eleuHGkoCHA.1628@TK2MSFTNGP12...
> > > Do you have a problem we could help you with?  Are there more details?
> > >=20
> > > What does this code have to do with NTFS?  I'm sorry if your machine =
> > was
> > > exploited, though I'm not sure this has to do with NTFS.
> > >=20
> > > NTFS file permissions are plenty secure against remote exploits.  If =
> > you
> > > have other security vulnerabilities that permit running commands as an
> > > account that has permissions in the NTFS ACLs, that's not exactly an =
> > NTFS
> > > failing.
> > >=20
> > > Windows 2000 configured correctly is as secure as most other operating
> > > systems configured correctly.  Windows 2000 in the default install is =
> > about
> > > as un-secure as Linux in the default install, especially if you go =
> > back to
> > > Linux from the year 2000.  Securing Windows 2000 is about as complex =
> > and
> > > time consuming as securing Linux, maybe even easier.
> > >=20
> > > More information on ways to determine how you were hacked and how to =
> > secure
> > > your computer:
> > >=20
> > > http://securityadmin.info/faq.htm#hacked
> > > http://securityadmin.info/faq.htm#re-secure
> I'm no expert, but I would do a few quick things:
> Enable account locking after 5 bad attempts -- Lock Forever
> Put a strong 14 character password on the guest account
> Enable some auditing, such as logon/logoff success & failure
> Expand the size of the security log to 10+ MB
> 
> Review everything that runs on startup (All Users Startup group, your 
> user account's Startup group, HKLM\Software\Microsoft\Windows
> \CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
> 
> Try a few more spyware detection tools.  Monitor your security log.
> Pull up local security policy, go to "user rights assignment" and add 
> the guest account under "Deny access to this computer from the network" 
> and "Deny logon locally".
> 
> Of course, I'm merely making some suggestions.  There is no warranty to 
> my advice, express or implied.  Use at your own risk.  (Always have a 
> backup before making changes, especially to the registry.)

Relevant Pages