Re: Finding out admin username

From: BloodRed (bloodred71@earthlink.spamsucks.net)
Date: 10/13/02

• Next message: neo [mvp outlook]: "Re: Finding out admin username"
• Previous message: SvS: "Re: Finding out admin username"
• In reply to: SvS: "Re: Finding out admin username"
• Next in thread: neo [mvp outlook]: "Re: Finding out admin username"
• Reply: neo [mvp outlook]: "Re: Finding out admin username"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "BloodRed" <bloodred71@earthlink.spamsucks.net>
Date: Sun, 13 Oct 2002 18:37:09 GMT

In the Local Security Policy MMC, highlight Local Policies->Security
Options, and in the right pane you'll see those settings. They may be
worded slightly differently, the machine I'm looking at them on is running
XP.

-BR

"SvS" <sevims@olisys.com> wrote in message
news:uRRtcXucCHA.2480@tkmsftngp10...
> Thanks a lot for the replies guys,
>
> I switched the LanManager to NTLM replies only successfuly. However, I
can't
> locate Network Access Policy under Security Options..or am I checking out
> the wrong location ??
>
> Dmitry, nbtstat -A works from some workstations but doesn't work from
> others. I guess a small setting in the security policy makes it disables,
> It turns, "Hostname not found" even I enter the right IP for it..
>
> Thanks a lot.
> "BloodRed" <bloodred71@earthlink.spamsucks.net> wrote in message
> news:jmiq9.29637$OB5.2454405@newsread2.prod.itd.earthlink.net...
> > Be sure the setting Neo mentioned is set, and be sure the following is
> > configured in the Security Options on the servers:
> >
> > Network access: Allow anonymous SID/Name translation - Disabled
> > Network access: Do not allow anonymous enumeration of SAM accounts -
> Enabled
> > Network access: Do not allow anonymous enumeration of SAM accounts and
> > shares - Enabled
> >
> > The administrator account has a set SID no matter what you rename the
> > account to. If someone is able to translate the account names into the
> SIDs
> > associated with them, they'll be able to find the admin account very
> easily.
> > Then, it's just a matter of running a password crack against the account
> > since the local admin account can't be locked out.
> >
> > -BR
> >
> >
> >
> > "NeoSadist" <neos@dist> wrote in message
> > news:uqj6i62qpegbbd@corp.supernews.com...
> > >
> > > "SvS" <sevims@olisys.com> wrote in message
> > > news:u93Gt0ocCHA.1700@tkmsftngp10...
> > > > Guys, I've been maintaining couple of Windows 2000 Advanced Servers
> and
> > > > using terminal services to administer them. Since terminal service
is
> > wide
> > > > open to internet, I decided to log the bad username/password
attempts
> > to
> > > > it. One result really scared the hell out of me.. I'm using very
> unique
> > > > administrator username , (I changed the administrator account
> username )
> > > and
> > > > a very unique password to it.
> > > > I was going thru the logs today and noticed that somebody from
outer
> > > > internet, knew my admin username!!!!.. From the logs I can only see
> the
> > > > usernames and the IP addresses of the user connecting from. I can't
> see
> > > what
> > > > password he tried, but he definitely knew my admin username which he
> > MUST
> > > > have extracted from somewhere.. There is absolutely no way, I mean
NO
> > WAY
> > > he
> > > > could guess it...
> > > > Now, I'm curios if there is a bug in my server. All the security
> > patches
> > > > everything is upto date. But I guess this is not enough, Anybody
have
> an
> > > > idea, how might be this happening ?
> > > > Thank you in advance,
> > > >
> > > > PS : Servers have netbios ports are opened but no anonymous access
is
> > > > allowed. Shared to everyone however.
> > > >
> > > >
> > > >
> > >
> > > I'd say use a firewall, and also make sure ALL your machine's lan
> manager
> > > setup in the local security policy is set to NTLM replies only.
> > > Also, I'd say, if your entire network is win2k or above, including the
> > > server, just use tcp (no installed netbios protocol) but set it to use
> > > netbios over tcp.
> > > I'm not familiar with corporate networks, but I'd talk to symantec
> and/or
> > > read some stuff from www.sans.org 's reading room.
> > >
> > >
> > >
> >
> >
>
>
>

---

• Next message: neo [mvp outlook]: "Re: Finding out admin username"
• Previous message: SvS: "Re: Finding out admin username"
• In reply to: SvS: "Re: Finding out admin username"
• Next in thread: neo [mvp outlook]: "Re: Finding out admin username"
• Reply: neo [mvp outlook]: "Re: Finding out admin username"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages can not log in ... I changed the local security policy on windows 2000 and the next day when I ... I have tried logging in under safe mode and the guest account but the guest ... (microsoft.public.win2000.general) Re: Thanks Chuck--Added Win98 user to XP machines permissions ... >>adding an account for him on my machine. ... Security Policy - Security ... Find policy "Deny logon ... (microsoft.public.windowsxp.network_web) Re: trying to bild network betw. 98 & XP ... With XP Pro, ... With XP Pro, if SFS is disabled, check the Local Security Policy (Control Panel ... that the Guest account is enabled, thru Local User Manager (Start - Run - ... For XP Pro with Simple File Sharing enabled, make sure that the Guest account is ... (microsoft.public.windowsxp.network_web) Re: Logging Password Changes ... Go into the Domain Controllers Security Policy. ... Management" to audit success and failure. ... Event Category: Account Management ... (microsoft.public.backoffice.smallbiz2000) Re: Firewall and Security ... the Domain Controller Security Policy (on the server under Administrative ... >>and regular logon failure, account management success ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)