Re: Were we hacked?
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/18/02
- Next message: Karl Levinson [x y] mvp: "Re: How do I block just one port from being listened to on my server"
- Previous message: Karl Levinson [x y] mvp: "Re: Virus called "jdbgmgr.exe""
- In reply to: Jane Tunnicliff: "Re: Were we hacked?"
- Next in thread: TwistedPair: "Re: Were we hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 17 Dec 2002 21:53:57 -0500
Not exactly. While this is a good thing to do, NT will never ever ever be
secure this way. RestrictAnonymous = 1 is broken and AFAIK was not fixed
until Windows XP. Before Windows XP, user names and share names can still
be enumerated even with RestrictAnonymous = 1, unless you are using a
firewall to block Netbios, have disabled Netbios, or you have Windows 2000
that is not a domain controller so that you can use RestrictAnonymous = 2
I'm surprised at how few people know this. I didn't know it myself until a
week ago when I started reading about it in more detail. Reading the
Microsoft articles and Hacking Exposed books make you think that a simple
registry setting will fix this, but this is not the case.
Another common piece of misinformation is RestrictAnonymous = 2 in NT.
According to the Microsoft KB, this is not a valid setting. It might work,
I don't know, but not having an NT server or the patience to test it, I have
to assume the KB is correct and the magazine articles to the contrary are
incorrect.
Last, for XP, RestrictAnonymous=2 is no longer valid again, and there is at
least one new registry setting such as RestrictAnonymousSam which if I
remember correctly needs to be set to 0 instead of 1 for best security, and
sadly this isn't documented in the Microsoft KB and is barely mentioned
almost anywhere on the internet.
"Jane Tunnicliff" <jtunn@uwpn.org> wrote in message
news:Oro#Z9gpCHA.2728@TK2MSFTNGP10...
> You might want to read MS article Q143474 and then restrict anonymous
access
> on your NT domain controllers.
>
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:#mxaMkgpCHA.2524@TK2MSFTNGP12...
> >
> > "paddy" <pconlon@spectrum.ie> wrote in message
> > news:04b201c2a5e6$de190d00$8df82ecf@TK2MSFTNGXA02...
> > > All our NT User Accounts were somehow all locked out at
> > > the same time last Friday. When we looked at the Event
> > > Viewer Log for our PDC there was a seperate event for
> > > every account that was locked out. The Event Id was 644.
> > > The weird thing though was that the 'Caller Machine Name'
> > > was a PC name that doesnt exist on our network.
> >
> > Well, it's hard to say without more information, but I would guess that
if
> > it was attack, it was probably not successful [though it's hard to know
> for
> > sure]. If this attack came from the internet, your firewall would block
> > this and tell you the source. If you don't have a firewall, you need
one,
> > even a free one. Without a firewall or something that does logging of
IP
> > traffic, this person [if it is a hacker] probably got away without a
> trace.
> >
> > PS I might change your account policy on the domain to unlock all
accounts
> > after, say, 15 minutes, if you haven't already.
> >
> > To see if you've been hacked, try these instructions:
> >
> > http://securityadmin.info/faq.htm#hacked
> > http://securityadmin.info/faq.htm#firewall
> > http://securityadmin.info/faq.htm#re-secure
> > http://securityadmin.info/faq.htm#harden
> >
> >
>
>
- Next message: Karl Levinson [x y] mvp: "Re: How do I block just one port from being listened to on my server"
- Previous message: Karl Levinson [x y] mvp: "Re: Virus called "jdbgmgr.exe""
- In reply to: Jane Tunnicliff: "Re: Were we hacked?"
- Next in thread: TwistedPair: "Re: Were we hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
