Re: Finding out admin username

From: NeoSadist (neos@dist)
Date: 10/13/02

• Next message: Roger Jennings: "Microsoft Test X.509 Certs Expire 11/02/2002"
• Previous message: Shanahan: "Re: Securiy Templates"
• In reply to: SvS: "Finding out admin username"
• Next in thread: BloodRed: "Re: Finding out admin username"
• Reply: BloodRed: "Re: Finding out admin username"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "NeoSadist" <neos@dist>
Date: Sun, 13 Oct 2002 10:13:18 -0600

"SvS" <sevims@olisys.com> wrote in message
news:u93Gt0ocCHA.1700@tkmsftngp10...
> Guys, I've been maintaining couple of Windows 2000 Advanced Servers and
> using terminal services to administer them. Since terminal service is wide
> open to internet, I decided to log the bad username/password attempts to
> it. One result really scared the hell out of me.. I'm using very unique
> administrator username , (I changed the administrator account username )
and
> a very unique password to it.
> I was going thru the logs today and noticed that somebody from outer
> internet, knew my admin username!!!!.. From the logs I can only see the
> usernames and the IP addresses of the user connecting from. I can't see
what
> password he tried, but he definitely knew my admin username which he MUST
> have extracted from somewhere.. There is absolutely no way, I mean NO WAY
he
> could guess it...
> Now, I'm curios if there is a bug in my server. All the security patches
> everything is upto date. But I guess this is not enough, Anybody have an
> idea, how might be this happening ?
> Thank you in advance,
>
> PS : Servers have netbios ports are opened but no anonymous access is
> allowed. Shared to everyone however.
>
>
>

I'd say use a firewall, and also make sure ALL your machine's lan manager
setup in the local security policy is set to NTLM replies only.
Also, I'd say, if your entire network is win2k or above, including the
server, just use tcp (no installed netbios protocol) but set it to use
netbios over tcp.
I'm not familiar with corporate networks, but I'd talk to symantec and/or
read some stuff from www.sans.org 's reading room.

---

• Next message: Roger Jennings: "Microsoft Test X.509 Certs Expire 11/02/2002"
• Previous message: Shanahan: "Re: Securiy Templates"
• In reply to: SvS: "Finding out admin username"
• Next in thread: BloodRed: "Re: Finding out admin username"
• Reply: BloodRed: "Re: Finding out admin username"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: terminal server that hands out licenese to other servers.. ... I have 100 servers. ... And I have 19 Terminal Services licenses. ... No CALs ... (microsoft.public.windows.terminal_services) Re: TS Security Issue ... and acceptible connection methods (unless they're contractually obligated to ... terminal servers: ... Your Terminal Services Security Website ... (microsoft.public.windows.terminal_services) Re: RDPCLIP.exe Stalled ... Performed uninstall and reinstall of Terminal Services on the two problem ... One is now back up with all printer and clipboard redirection capabilities ... >> the servers via Add / Remove Windows Components. ... (microsoft.public.win2000.termserv.apps) Re: Event ID 1500, Your Profile can not be loaded ... The only information I have for this error is the KB link that recommends installing UPHClean. ... SDE - Terminal Services ... pre-SP1 servers or servers without UPHClean. ... (microsoft.public.windows.terminal_services) Re: Finding out admin username ... > using terminal services to administer them. ... I decided to log the bad username/password attempts to ... From the logs I can only see the ... Servers have netbios ports are opened but no anonymous access is ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2002-10