Re: Security Concern
From: Steven L Umbach (n9rou@attbi.com)
Date: 03/16/03
- Next message: Steven L Umbach: "Re: Applying Security Policy for 20 minutes"
- Previous message: Joe Thompson: "Re: Applying Security Policy for 20 minutes"
- In reply to: Steve Manswell: "Security Concern"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@attbi.com> Date: Sun, 16 Mar 2003 01:36:27 GMT
Hi Steve. A number of things could have happened. Somebody acquired
local administrator access on that machine. Obtaining passwords can happen a
number of ways including - guessing, cracking, watching (hidden camera),
keyboard logging, network packet sniffer, social engineering, finding,
bribing, extorting, etc. Some people just are too lazy to secure their
workstations when logged on and walk away. This can happen on the local
network or from the internet if connected. Computers that are not physically
secured are at particular risk especially if they can be booted from a
floppy, cdrom, etc - there are floppy disks that can boot and crack the sam
fairly easily. Domain controllers should be locked up, maybe even with
burglar alarms or at very least in a secure heavy duty case that also locks
access to front and back. Your workstations should have locked cases with a
password protected cmos and configured to have the hard drive to be first in
the boot order. W98 leaves you particularly vulnerable to packet sniffing if
they do not have Active Directory Client (free from MS) installed/enabled
along with at least SP4 on all the NT4.0 machines. W98 uses lm
authentication which is very weak and even a visit to an internet site can
capture the hash for cracking. You want to get all computers up to ntlm v2.
If connected to the internet be sure to use a good SPI firewall that has
control over OUTBOUND as well as inbound access, intrusion detection, and
logging. Firewalls like this can be purchased for around $500 or less. After
you think you have your firewall configured correctly be sure to do a port
scan from the wan side and do that on a regular basis. You may even want to
consider personal firewalls on workstations. Enable auditing for log ons,
review your password/lockout policies, keep all computers up to date as far
as security patches, take special precautions protecting/using the
administrator accounts (they can not be locked out and never use an
administrator account for routine tasks), use an up to date virus scanning
program that can scan in and outbound emails on all computers, etc. See
various links for more info on securing/cleaning/hardening your computers
and network. --- Steve
http://www.netscreen.com/products/appliances.html#ns5xp_xt
http://www.zywall.com/firewall_products/internet_security_gateway/zywall10.h
tm
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
default.asp
http://securityadmin.info/faq.htm
http://securityadmin.info/faq.htm#harden
"Steve Manswell" <sm2122@columbia.edu> wrote in message
news:034201c2eace$b320a9a0$a401280a@phx.gbl...
> Hi Everyone,
> I am a support tech for a company. It has a
> winnt4.0 domain with W2kPro and W98 clients. I recently
> discovered a strange happening.It appears that someone
> access our network and created a user on the local
> computer. They also place that user in the local security
> policy under the "Access this computer from the network"
> setting. Has anyone heard of this? Does any one know how
> it was done? And how do I prevent it.
> Thanks in advance for your response.
>
>
>
>
- Next message: Steven L Umbach: "Re: Applying Security Policy for 20 minutes"
- Previous message: Joe Thompson: "Re: Applying Security Policy for 20 minutes"
- In reply to: Steve Manswell: "Security Concern"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
