Re: Account keeps going locked out in Windows 2000 Pro SP4
From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 07/18/03
- Next message: Dolores Murphy-Gallaer: "policies preventing installation of programs"
- Previous message: Joko: "Re: Hacked server - cannot delete files"
- In reply to: Chris G: "Re: Account keeps going locked out in Windows 2000 Pro SP4"
- Next in thread: Matt Scarborough: "Re: Account keeps going locked out in Windows 2000 Pro SP4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jul 2003 16:38:44 GMT
Hi Chris. You are definitely being attacked from the internet.
Somehow your Norton Firewall is misconfigured. I am not familiar with it,
but try to create rules to block ports 135 and 445 to the internet - read
the help files. If you can not figure it out then disconnect from the
internet and try to reinstall the firewall and if it asks if you want to use
current configuration/settings, select no. Disable the guest account right
away and if you are not sharing files/printers with other computers then
disable or better yet uninstall file and print sharing on your network
adapter in network properties. As far as closed/stealth - whatever the
Norton Firewall does will work fine in your situation. Another alternative
is to go out and buy one of those forty dollar cable/dsl nat firewall
routers at Best Buy, etc - you can still use and should use the Norton
Firewall. They tend to work well for a home user and are not complicated to
set up, unlike the personal firewalls that can tend to be - but have many
for options such as rules that filter by application and outbound traffic
control. --- Steve
"Chris G" <c_granite@hotmail.com> wrote in message
news:001e01c34d47$64d65250$a401280a@phx.gbl...
> Hi,
>
> It turns out I had one of the two logs already on
> I've looked in event viewer and I'm getting 5 attempts per
> second to log on to the guest account!
>
> The event viewer has all the events listed in pairs of two
> happening at intervals of 5 per second. An example of the
> two is as follows:
>
> (1)
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 18/07/2003
> Time: 16:59:32
> User: NT AUTHORITY\SYSTEM
> Computer: Jupiter
> Description:
> The logon to account: Guest
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: EDDIE-TJCBDG1JJ
> failed. The error code was: 3221226036
>
> (2)
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 539
> Date: 18/07/2003
> Time: 16:59:32
> User: NT AUTHORITY\SYSTEM
> Computer: Jupiter
> Description:
> Logon Failure:
> Reason: Account locked out
> User Name: Guest
> Domain: EDDIE-TJCBDG1JJ
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: EDDIE-TJCBDG1JJ
>
>
> I assume this means there are attempts from the internet?
>
> As I said they are happening every second and the only
> difference is the time.
>
> I have been back through the event viewwer and there are
> attempts for all the accounts and different workstation
> names mentioned.
>
> I have run the security scanner on symantec and the only
> vunerabilitys are:
>
> - Port ICMP Ping is open
> - Port 135 is open
> - Port 445 is open
>
> All other ports are closed and nothing else was found to
> be at risk.
> How can I close the ports using NPF and is closed good
> enough, or do they need to be stealthed? symantec say:
>
> A closed port is visible but not open to attack. Although
> this is a safe state, a hacker can use closed ports to
> detect the existence of your computer and potentially
> target it for attack.
>
> A stealth port is safest of all. Stealth means your
> computer doesn't respond to port probes and you are
> virtually invisible to hackers scanning the Internet for
> potential targets. Although this is a very safe result, a
> stealth port may cause performance problems for some
> Internet applications.
>
>
> Do I need to stealth them all, or is closed enough? How
> do I go about either?
>
> Thanks so much for your help on this
>
> Chris
>
>
>
>
>
>
>
>
>
> >-----Original Message-----
> >Hi Chris. Great on having a firewall. I would suggest
> scanning it again. If
> >you get a report about netbios ports - particularly 139
> or 445 being open,
> >then that could cause the problem. Enabling account log
> on and log on events
> >should help you find out when these attempts are
> happening. In the logs you
> >will see "logon type" type 2 which would mean someone is
> trying to log on at
> >the console. Type 3 would be an attempt to logon from the
> network
> >[internet]. Other types would mean a service, etc is
> causing the problem.
> >Also check your password policy, by default minimum
> password age is 0 and
> >maximum is 42. You may want to use those settings until
> problem is resolved.
> >You might also want to bump up your lockout count to 10
> [per Microsoft
> >recommendation] and change the duration to something like
> 10 minutes which
> >will allow better access to the computer for users and
> still effectively
> >stop automated password attacks. See links for more info
> on security log
> >events. --- Steve
> >
> >http://is-it-true.org/nt/atips/atips57.shtml
> >http://is-it-true.org/nt/atips/atips155.shtml
> >
> >"Chris G" <c_granite@hotmail.com> wrote in message
> >news:069c01c34cfe$134aa8d0$a501280a@phx.gbl...
> >> I will try enabeling the logging you talk of tonight. I
> >> have an always on internet connection, but the computer
> is
> >> usually switched off when there is nobody logged on to
> >> it. I have Norton Personal Firewall 2003. Is there
> >> something I can change in there to block the attempts?
> I
> >> have used the security scanner on the NPF website and
> from
> >> memory all the ports were blocked except 'ping' and
> >> something else. I cant remember the numbers I'm
> affraid.
> >> When I said there were no invalid login attmepts I meant
> >> no attempts from the account owners. I still have the
> >> guest account set up, with the password as 'guest' also.
> >> I would have thought that if someone remotely was trying
> >> to get in they would have guessed that first of all???
> >> But this account is always locking out too. This
> doesn't
> >> really matter as I don't use it and could probably
> delete
> >> it.
> >>
> >> Chris
> >>
> >>
> >> >-----Original Message-----
> >> > I agree. Enable auditing for account log on
> events
> >> and log on events
> >> >success/failure on your computer via Local Security
> >> Policy. Then you can
> >> >look in Event Viewer/security for failed events to get
> an
> >> idea what is
> >> >happening, but I bet you have file and print sharing
> >> enabled on the network
> >> >adapter connected to the internet without a properly
> >> configured firewall. Go
> >> >here http://scan.sygatetech.com/ and do a quick scan
> for
> >> vulnerability of
> >> >your computer. There are many FREE [for personal use]
> >> firewalls
> >> >vailable. --- Steve
> >> >
> >>
> >http://www.webattack.com/Freeware/security/fwfirewall.shtm
> >> l
> >> >http://support.microsoft.com/default.aspx?scid=kb;en-
> >> us;248260
> >> >
> >> >
> >> >"Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in
> >> message
> >> >news:OtInYEJTDHA.3188@tk2msftngp13.phx.gbl...
> >> >> Hi,
> >> >>
> >> >> is this computer accessible from the internet? If
> yes,
> >> could someone be
> >> >> trying to gain access to it over Internet (is there
> any
> >> Firewall installed
> >> >> to protect PC from the internet).
> >> >>
> >> >> --
> >> >> Mike
> >> >> MCSA 2K, MCSE 2K, MCT, ...
> >> >>
> >> >> "Chris G" <c_granite@hotmail.com> wrote in message
> >> >> news:034001c34c8e$34ab1480$a101280a@phx.gbl...
> >> >> > I have a home pc running win2k pro sp4 with
> different
> >> user
> >> >> > accounts for each member of the family. ALL the
> >> accounts
> >> >> > (including the administrator) keep going locked
> out.
> >> The
> >> >> > administrator account doesn't matter as it will let
> >> me log
> >> >> > on anyway, but the 'locked out' box is still
> ticked.
> >> This
> >> >> > happens at least once a day. I have the following
> >> >> > settings in lstart\settings\control
> >> panel\administrative
> >> >> > tools\local security policy\account
> policies\account
> >> >> > lockout policy:
> >> >> >
> >> >> > account lockout duration = 0
> >> >> > account lockout threshold = 5 invalid attempts
> >> >> > reset account lockout counter after = 30 minutes
> >> >> >
> >> >> > there are no invalid log on attampts, the password
> is
> >> >> > accepted after I unlock.
> >> >> >
> >> >> > It is driving me mad as I keep having to log on as
> >> >> > administrator to unlock the accounts
> >> >>
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
- Next message: Dolores Murphy-Gallaer: "policies preventing installation of programs"
- Previous message: Joko: "Re: Hacked server - cannot delete files"
- In reply to: Chris G: "Re: Account keeps going locked out in Windows 2000 Pro SP4"
- Next in thread: Matt Scarborough: "Re: Account keeps going locked out in Windows 2000 Pro SP4"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
