Re: hacking from Terminal services or some other means
From: Steven Umbach (n9rou_at_comcast.com)
Date: 09/17/03
- Next message: news.verizon.net: "unwanted intrusions"
- Previous message: Eric: "Windows 2000 server password recovery"
- In reply to: scott: "hacking from Terminal services or some other means"
- Next in thread: Scott: "Re: hacking from Terminal services or some other means"
- Reply: Scott: "Re: hacking from Terminal services or some other means"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Sep 2003 00:13:27 GMT
Zone Alarm is OK for personal computers, but I would use something more
configurable for a server, preferably a hardware device where you would open
only needed inbound access ports for mail, probably port 25 tcp for smtp and tcp
port 3389 for Terminal Services remote administration. Netgear sells a true SPI
firewall router for $80 that would be good for home a small office type
situations. If you insist on staying with a personal firewall, I like Kerio
though Sygate has better logging features. Either one could tell you the ip
address where the attacks are coming from and if it is one particular ip, you
could create a block rule and be done with it. You might want to go to
http://scan.sygatetech.com/ and check you basic firewall vulnerability. Usually
user/group information is obtained from tcp port 139, 445 being open to the
internet. If you are going to use Terminal Services for remote administration,
try to configure inbound firewall rule for tcp 3389 to accept traffic only from
a particular ip address or ip address range that you would be using for access.
I would still enable an account lockout policy [use threshold of ten] and change
the name of the administrator account. The administrator account can not be
locked out [unless Passprop is used to enable network lockout], and regular user
accounts would not be locked out from a user trying Terminal Services remote
administrations since they do not have permissions to RDP. --- Steve
http://www.netgear.com/products/prod_details.asp?prodID=140&view=
"scott" <stesch@carsley.com> wrote in message
news:050d01c37bd6$a3ac6d30$a401280a@phx.gbl...
> Our mail server is running Windows 2000 server. When I
> look in the event viewer, I see many failed logon
> attempts. The attempts were made to all the user ids in
> the system, even the ones that we have disabled but left
> in as a user. Apparently, the hacker can see the list of
> users.
>
> I have loaded zone alarm on the computer, but it doesn't
> help, I still see the hacker trying the get in. The
> hacker seems to have a program that runs every 3 minutes
> or so to try to get in.
>
> What should I do? Is there any way to tell who the user
> is, or how to counteract this hacking?
>
> I don't want to lockout accounts after failed attempts,
> because then I will be locked out of getting into the mail
> server as well. Below are examples of 2 events out of the
> event log.
>
> Event ID: 1006
> The terminal server received large number of incomplete
> connections. The system may be under attack.
>
> Event ID: 681
> The logon to account: Administrator
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: DANIELKASSIM
> failed. The error code was: 3221225578
>
>
> Any ideas?
> Gratefully,
> Scott
>
- Next message: news.verizon.net: "unwanted intrusions"
- Previous message: Eric: "Windows 2000 server password recovery"
- In reply to: scott: "hacking from Terminal services or some other means"
- Next in thread: Scott: "Re: hacking from Terminal services or some other means"
- Reply: Scott: "Re: hacking from Terminal services or some other means"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
