Re: Strange Windows 2000 Security Logs
From: Richard Colbin (rcbnpubl_NO_SPA_M_@hotmail.com)
Date: 02/07/03
- Next message: Melynda Teter: "Updates for Terminal Server"
- Previous message: Jack Ryan: "Security/Login/Logoff Logs."
- In reply to: Eric Fitzgerald [MSFT]: "Re: Strange Windows 2000 Security Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Richard Colbin" <rcbnpubl_NO_SPA_M_@hotmail.com> Date: Thu, 6 Feb 2003 22:04:00 -0300
Thank you for the recommendation. I have already changed the registry as
described in that article, and preventively restarted the server. We have
two Windows 2000 Professional computers, however, that are not connected to
the network but use a DSL connection for the Internet, too. I will make the
same registry change in them, hoping that this will block anonymous access
to the SAM database (?).
What I don't like is that this was apparently attempted from the Internet,
and not from someone in the local network. In all cases, we already changed
all administrator passwords today, for the case that this happens again.
Regards,
R. Colbin
"Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> schrieb im Newsbeitrag
news:3e4192ed$1@news.microsoft.com...
> According to NTSTATUS.H (see my post in today's thread "event id 681" for
> more information), this is STATUS_NO_SUCH_USER.
>
> So he doesn't know all your user names; he's guessing at some or he has an
> old list and is trying deleted accounts.
>
> If you check the event logs on all your other machines you'll find the
> one(s) that he's trying to access, looking for logon failure events (529)
> and lockout events (539), if you're using Account Lockout.
>
> The SAM can be enumerated anonymously. See these articles for information
> on how to disable that using the RestrictAnonymous setting: Q246261,
> Q43474. Note that setting RestrictAnonymous usually breaks
interoperability
> with Windows NT 4.0 and Windows 9x.
>
> Windows XP also has a value, RestrictAnonymousSAM, which can be enabled
via
> Local Security Policy.
>
> Eric
>
> --
> Eric Fitzgerald
> Program Manager, Windows Auditing and Intrusion Detection
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Richard Colbin" <rcbnpubl_NO_SPA_M_@hotmail.com> wrote in message
> news:b1r72q$has$1@ngspool-d02.news.aol.com...
> > We have Windows 2000 installed, and we do use a firewall. We are
connected
> > with DSL to the Internet. Lately, however, I am getting strange errors
in
> > the security Event Log of our Windows 2000 system:
> >
> > The logon to account: (all accounts in our system)
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: COFFELT
> > failed. The error code was: 3221225572
> >
> > This unknown "workstation", named COFFELT, apparently tries insistently,
> for
> > about two minutes and about twice per second, to log on to our system
(?).
> > This remains registered in the Event Log as very long list of warnings.
> > Unfortunately, it is not only "COFFELT" who appears to be attempting
this.
> > The workstation name is always another one.
> >
> > What does worry me is that this unknown person knows the names of all
our
> > accounts (beside the typical accounts "Administrator" and "Guest", s/he
> also
> > knows we have the -I would believe uncommon- account names of i.e.
> "PeterT",
> > "CADUser", etc.). How is it possible that s/he gained access to this
type
> of
> > account information? Can it be blocked? Are these attempts something
that
> we
> > should be worried of?
> >
> > Regards,
> >
> > R. Colbin
> >
> >
>
>
- Next message: Melynda Teter: "Updates for Terminal Server"
- Previous message: Jack Ryan: "Security/Login/Logoff Logs."
- In reply to: Eric Fitzgerald [MSFT]: "Re: Strange Windows 2000 Security Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
