Re: Finding out admin username
From: BloodRed (bloodred71@earthlink.spamsucks.net)
Date: 10/13/02
- Next message: Art: "Re: messenger service and source logging"
- Previous message: BloodRed: "Re: renamed computer; cannot log on"
- In reply to: NeoSadist: "Re: Finding out admin username"
- Next in thread: SvS: "Re: Finding out admin username"
- Reply: SvS: "Re: Finding out admin username"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "BloodRed" <bloodred71@earthlink.spamsucks.net> Date: Sun, 13 Oct 2002 17:49:03 GMT
Be sure the setting Neo mentioned is set, and be sure the following is
configured in the Security Options on the servers:
Network access: Allow anonymous SID/Name translation - Disabled
Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares - Enabled
The administrator account has a set SID no matter what you rename the
account to. If someone is able to translate the account names into the SIDs
associated with them, they'll be able to find the admin account very easily.
Then, it's just a matter of running a password crack against the account
since the local admin account can't be locked out.
-BR
"NeoSadist" <neos@dist> wrote in message
news:uqj6i62qpegbbd@corp.supernews.com...
>
> "SvS" <sevims@olisys.com> wrote in message
> news:u93Gt0ocCHA.1700@tkmsftngp10...
> > Guys, I've been maintaining couple of Windows 2000 Advanced Servers and
> > using terminal services to administer them. Since terminal service is
wide
> > open to internet, I decided to log the bad username/password attempts
to
> > it. One result really scared the hell out of me.. I'm using very unique
> > administrator username , (I changed the administrator account username )
> and
> > a very unique password to it.
> > I was going thru the logs today and noticed that somebody from outer
> > internet, knew my admin username!!!!.. From the logs I can only see the
> > usernames and the IP addresses of the user connecting from. I can't see
> what
> > password he tried, but he definitely knew my admin username which he
MUST
> > have extracted from somewhere.. There is absolutely no way, I mean NO
WAY
> he
> > could guess it...
> > Now, I'm curios if there is a bug in my server. All the security
patches
> > everything is upto date. But I guess this is not enough, Anybody have an
> > idea, how might be this happening ?
> > Thank you in advance,
> >
> > PS : Servers have netbios ports are opened but no anonymous access is
> > allowed. Shared to everyone however.
> >
> >
> >
>
> I'd say use a firewall, and also make sure ALL your machine's lan manager
> setup in the local security policy is set to NTLM replies only.
> Also, I'd say, if your entire network is win2k or above, including the
> server, just use tcp (no installed netbios protocol) but set it to use
> netbios over tcp.
> I'm not familiar with corporate networks, but I'd talk to symantec and/or
> read some stuff from www.sans.org 's reading room.
>
>
>
- Next message: Art: "Re: messenger service and source logging"
- Previous message: BloodRed: "Re: renamed computer; cannot log on"
- In reply to: NeoSadist: "Re: Finding out admin username"
- Next in thread: SvS: "Re: Finding out admin username"
- Reply: SvS: "Re: Finding out admin username"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
