Re: Apparent NetBIOS Attack - How Dangerous?
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 12/13/04
- Next message: Roger Abell [MVP]: "Re: programming windows security"
- Previous message: Computer-Net Solutions: "run the domain controller security policy template for securedc"
- In reply to: Thomas: "Apparent NetBIOS Attack - How Dangerous?"
- Next in thread: Karl Levinson, mvp: "Re: Apparent NetBIOS Attack - How Dangerous?"
- Reply: Karl Levinson, mvp: "Re: Apparent NetBIOS Attack - How Dangerous?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 12 Dec 2004 21:28:58 -0700
Aside from failing to use a firewall, you possibly do not have policies set
to that you Do not all anonymous enumeration of SAM accounts and shared
This allows a remote to easily list out your account names and groups,
and attracts further effort due the appearance of an easy meal.
The anonymous enumeration settings can be found in the security
setting options of the local security policy, although slightly differently
worded depending on OS version.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Thomas" <email@isin.my.message.com> wrote in message news:cpira1$hjp$1@ngspool-d02.news.aol.com... >I have been noticing, after checking Windows 2000's Event Viewer's security > protocol, that some individual (from the Internet) is attempting to log > into > our computer. The attempts --fortunately all failed, so far-- start > occurring a few minutes after I establish a PPPoE Internet connection, and > cease after some time. When the attacks begin, they occur for several > minutes, sometimes every two or three seconds, sometimes every 10-60 > seconds, sometimes just once or twice. > > In the Event Viewer, the alerts look like the following one: > > The logon to account: <Local account name here> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > from workstation: 0WEWCKG1 > failed. The error code was: 3221225578 > > The error type is 681. > > Strangely, the individual basically uses every account available in our > system. That is, if we have the accounts Administrator, Peter, Thomas, > Jane, > then the user attempts to login with one or more of these accounts. How is > it possible that our full account list is known to someone on the > Internet? > > As the login attempts occur after packets are sent to local port 137 > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks > still > won't stop. The user still obtains our account list, and the failed logins > still appear on the Event Viewer security protocol. > > What can be done in order to remedy this situation? If the subject > discovers > the password for one account, would it be possible for him to eventually > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In > that instance, how much access does he actually have, and how much damage > can he do? In advance, I appreciate any information you can provide. > > Regards, > > Thomas > >
- Next message: Roger Abell [MVP]: "Re: programming windows security"
- Previous message: Computer-Net Solutions: "run the domain controller security policy template for securedc"
- In reply to: Thomas: "Apparent NetBIOS Attack - How Dangerous?"
- Next in thread: Karl Levinson, mvp: "Re: Apparent NetBIOS Attack - How Dangerous?"
- Reply: Karl Levinson, mvp: "Re: Apparent NetBIOS Attack - How Dangerous?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
