Re: hacking from Terminal services or some other means

From: Scott (stesch_at_carsley.com)
Date: 09/17/03 

Date: Wed, 17 Sep 2003 07:59:07 -0700

Steve, Jack, and Wutsitallabout,
Thank you for all your suggestions!! It has been very
helpful!

Could I bother to ask you one other question?
Where would I go to configure the ports to accept certain
IP addresses? Would this be in the Network settings under
TCP/IP? I see that I can do something with the ports
there, but I'm not quite sure if that is the right spot.
Could you confirm?
Thanks so much!!
Scott

>-----Original Message-----
>Zone Alarm is OK for personal computers, but I would use
something more
>configurable for a server, preferably a hardware device
where you would open
>only needed inbound access ports for mail, probably port
25 tcp for smtp and tcp
>port 3389 for Terminal Services remote administration.
Netgear sells a true SPI
>firewall router for $80 that would be good for home a
small office type
>situations. If you insist on staying with a personal
firewall, I like Kerio
>though Sygate has better logging features. Either one
could tell you the ip
>address where the attacks are coming from and if it is
one particular ip, you
>could create a block rule and be done with it. You might
want to go to
>http://scan.sygatetech.com/ and check you basic firewall
vulnerability. Usually
>user/group information is obtained from tcp port 139, 445
being open to the
>internet. If you are going to use Terminal Services for
remote administration,
>try to configure inbound firewall rule for tcp 3389 to
accept traffic only from
>a particular ip address or ip address range that you
would be using for access.
>I would still enable an account lockout policy [use
threshold of ten] and change
>the name of the administrator account. The administrator
account can not be
>locked out [unless Passprop is used to enable network
lockout], and regular user
>accounts would not be locked out from a user trying
Terminal Services remote
>administrations since they do not have permissions to
RDP. --- Steve
>
>http://www.netgear.com/products/prod_details.asp?
prodID=140&view=
>
>
>"scott" <stesch@carsley.com> wrote in message
>news:050d01c37bd6$a3ac6d30$a401280a@phx.gbl...
>> Our mail server is running Windows 2000 server. When I
>> look in the event viewer, I see many failed logon
>> attempts. The attempts were made to all the user ids in
>> the system, even the ones that we have disabled but left
>> in as a user. Apparently, the hacker can see the list
of
>> users.
>>
>> I have loaded zone alarm on the computer, but it doesn't
>> help, I still see the hacker trying the get in. The
>> hacker seems to have a program that runs every 3 minutes
>> or so to try to get in.
>>
>> What should I do? Is there any way to tell who the user
>> is, or how to counteract this hacking?
>>
>> I don't want to lockout accounts after failed attempts,
>> because then I will be locked out of getting into the
mail
>> server as well. Below are examples of 2 events out of
the
>> event log.
>>
>> Event ID: 1006
>> The terminal server received large number of incomplete
>> connections. The system may be under attack.
>>
>> Event ID: 681
>> The logon to account: Administrator
>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> from workstation: DANIELKASSIM
>> failed. The error code was: 3221225578
>>
>>
>> Any ideas?
>> Gratefully,
>> Scott
>>
>
>
>.
>

Relevant Pages

  • Re: Search Service not working
    ... administrator account on the server, as opposed to the domain account that is ... Stop the search services on the search on server page ... Assign the indexer to the SSP in the settings page for the SSP ... Administration to verify whether the service is enabled. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: This is ridiculous....
    ... and have not been able to access their server. ... Finally gave up figuring the ports were being blocked by the firewall ... Did'nt sign up for an account, ... Mike WB2MEP ...
    (sci.electronics.repair)
  • RE: administration program is too old to use
    ... the following error msg (I'm logged on w/admin rights): ... You do not have permission to view this page using your current user account. ... current problem is the following message I am getting when I run Server ... The server administration program and the server extension on the web server ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Question regarding firewalls
    ... Do you mean add an account on the server ... had accounts on each client's server, it would be much more difficult. ... Trend won't let you install the Officescan client on your server during ... what firewall ports are really needed for most ...
    (microsoft.public.windows.server.sbs)
  • Re: Having problems connecting to email server
    ... The 25/110 ports were working fine til I tried to access comcast mail. ... Subject 'Re: Special Needs Application', Account: 'campberachah.org', ... Server: 'campberachah.org', Protocol: SMTP, Server Response: '250 AUTH ...
    (microsoft.public.windows.vista.mail)