Solved

Block domains/pc-names to login w2k

Posted on 2003-12-03
7
316 Views
Last Modified: 2013-12-04
Windows2000 Advanced Server.   No domain but workgroup. Some 20 users.
Someone outside seems able to get our userlist. We have changed usernames but somehow the new usernames seems to be know in short time.
Now he is trying to login using each username from the list using  some kind of password generator.
The policy is set up to lock after 5 failing login attempt.
A couple of times each day each user is accessed with teh generator until all the users are locked. Or, worse case, finding a password!
From the eventlogs I can see his/her domain-name and pc-name. Trying to catch is IP is usesless as different IPs are being used.

Is there a way to allow only known domains or pcnames to login and therefore block the unknown ?
Or does someone know a tool to block someone for long time whenever he does a certain number of successive  failing login attemps.?

Appreciate anyones help
Herman
0
Comment
Question by:Twillert
  • 2
  • 2
7 Comments
 

Expert Comment

by:cheeba12
ID: 9867685
So is this person getting access through Remote Access? If you don't have any external users, ensure that none of them have dial up access.  or go with a firewall or a router, a simple one even, since you do have that many users.

Cheeba
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953352
well, first i would make sure that the uses have passwords that are not in a dictionary, this is always a good idia.  

ex.

d00b@d1sb@d

with a password like tha tyou could set the account lockout to like 50 and lock it for less time and probably never have a problem

another good idia is look thorugh your securites - change "everyone" to "authenticated users"

What type of incoming connections do you need? - Do people need to login remotly?

If you use remote desktop to login - may i sujest locking down all connections excpet for at one pc.  At that location setup restricionts to all but 1 login (if lots of users use remote desktop to get in this will not fit you needs.

Also, if you are using 2000adv server, why not dcpromo?
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953361
remote desktop is port 3389 by the way / get some router logs, and see what port the uses are loging in on.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 9965166
First- there are a ton of details we'll need- but I'll try to be general
Now you asked how he's getting you Usernames- easily. Many,many tools are out there for this, one of the first was  (well it worked the best)
http://www.hammerofgod.com/download.htm    userdump. An even easier way, and one built into windows, is the management console. Right-click My computer, go to manage, then right click "Computer Management (Local)" then "connect to another computer..." enter the IP or name in the line... tada! If your not locked down, or missing certain windows patches... you can list them all right there-  sometimes you have to create a session first, but that's easy, the scanning tools today do that for you. I recommend you scan yourslef with GFI Languard Network Scanner- it's free for 30days and will tell you most everything that this person is able to see. That way you'll know where to start fixing.

You need a firewall. I recommend ZoneAlarm for a software solution (the cheapest from my suggestions) and cisco PIX hardware firewall, and almost equally to the PIX a linux box, doesn't have to be very special 333 p3 256ram would be more than enough for a dedicated FW. You also need antivirus software- norton and mcafee are great products. If they do get in, and install trojan software, then you may never know without AV! With a firewall, you can allow ONLY the known good users. and deny everything else. The way you Know them is by IP address. ZoneAlarm will do an excellent job for you in this case. It's easy to use, you practically click everything... it does take some initial work when it's first set up, but all firewalls do. ZoneAlarm can also deny access to applications, it's very useful- please explore it

Failing you being able, or willing to obtain a firewall solution, then you need to restrict anonymous sessions.http://www.securityfocus.com/infocus/1352
Please read that throughly- it's very well said- restrict anonymous 2 might break your ability to connect- please test-

one of your built in friends in windows 2000/xp is the security policy snapin. on the run line type:
secpol.msc
expand- local policies
                   highlight "Security options"
restrict anonymous is the first setting, right click it, POLICY, and in the drop down select "do not allow enumeration of SAM accounts and shares" this is restrict anon 1 (2 is no access without explicit...) btw- some tools can by-pass restrict anon1 so experiment with anon2
you may also want to enable "do not display last user name in logon screen" i think it' s the 15th 16th one... (i assume people are Terminal servicing into this box another detail we need;)
also read this (Prevent Windows from Storing a LAN Manager - a weak weak hash- )
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q299/6/56.asp&NoWebContent=1

you can change the Terminal serivce port, HOWEVER you will have to change a setting on each person's PC that you want to allow in the TS server.
read this:
http://support.microsoft.com/default.aspx?scid=187623  (i do recommend trying it- but if you have someone new come along that needs to connect, be sure you remember to do this for them ;)

Now, windows password hash's suck, I can crack them faster than *nix,bsd,des,3des etc... the algorythim is 20 years old, created by IBM- then in like 98 M$ modified it to be case sensitive, and even that is weak, dictionary attack is a sure bet for most people, and purdue's ftp server has some great list's. John the ripper is the fastest at LanMan and NTLM- l0pht-crack is a windows only application, it hasn't been ported to another OS, windows is slow. Obtaining the SAM database is also pretty easy- espically if your users have ADMIN priv's on that server. if this guy get's in one account, then uses Pwdump3e.exe he'll have the database with all your users in it, along with names. Never give users ADMIN unless they need it. have them use RUNAS and let them know of an account with admin privs. read run-as
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/runas.asp (you can also highlight and icon and hold shift then right click the icon on your desktop to do this)

Security isn't a program, it's a process.... never ever stop saying this :)
I recommend you read the hacking exposed series of books. whew that's a lot of typing.... good luck... google will help you out if my instructions are very detailed enough...

in summary.
Scan yourself   http://www.gfisoftware.com/lannetscan/
also http://www.microsoft.com/downloads/details.aspx?FamilyID=9a88e63b-92e3-4f97-80e7-8bc9ff836742&DisplayLang=en
apply the patches you need,
get a firewall, at the very least an antivirus solution.

lookinto this thread for the strongest passwords ( I agree with Neosporin) alt+255 (users however are not that bright- so not recomended- read carefully and test for yourself- alt+255 can't be passed by very many apps)
http://www.experts-exchange.com/Security/Win_Security/Q_20545241.html

wow... GL!

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 9965179
jesus- forgot a very important one... restrict the registry- go to services- and  stop the "remote registry service" and then set it to disable... very important.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now