Block domains/pc-names to login w2k

Posted on 2003-12-03
Medium Priority
Last Modified: 2013-12-04
Windows2000 Advanced Server.   No domain but workgroup. Some 20 users.
Someone outside seems able to get our userlist. We have changed usernames but somehow the new usernames seems to be know in short time.
Now he is trying to login using each username from the list using  some kind of password generator.
The policy is set up to lock after 5 failing login attempt.
A couple of times each day each user is accessed with teh generator until all the users are locked. Or, worse case, finding a password!
From the eventlogs I can see his/her domain-name and pc-name. Trying to catch is IP is usesless as different IPs are being used.

Is there a way to allow only known domains or pcnames to login and therefore block the unknown ?
Or does someone know a tool to block someone for long time whenever he does a certain number of successive  failing login attemps.?

Appreciate anyones help
Question by:Twillert
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 9867685
So is this person getting access through Remote Access? If you don't have any external users, ensure that none of them have dial up access.  or go with a firewall or a router, a simple one even, since you do have that many users.


Expert Comment

ID: 9953352
well, first i would make sure that the uses have passwords that are not in a dictionary, this is always a good idia.  



with a password like tha tyou could set the account lockout to like 50 and lock it for less time and probably never have a problem

another good idia is look thorugh your securites - change "everyone" to "authenticated users"

What type of incoming connections do you need? - Do people need to login remotly?

If you use remote desktop to login - may i sujest locking down all connections excpet for at one pc.  At that location setup restricionts to all but 1 login (if lots of users use remote desktop to get in this will not fit you needs.

Also, if you are using 2000adv server, why not dcpromo?

Expert Comment

ID: 9953361
remote desktop is port 3389 by the way / get some router logs, and see what port the uses are loging in on.
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 9965166
First- there are a ton of details we'll need- but I'll try to be general
Now you asked how he's getting you Usernames- easily. Many,many tools are out there for this, one of the first was  (well it worked the best)
http://www.hammerofgod.com/download.htm    userdump. An even easier way, and one built into windows, is the management console. Right-click My computer, go to manage, then right click "Computer Management (Local)" then "connect to another computer..." enter the IP or name in the line... tada! If your not locked down, or missing certain windows patches... you can list them all right there-  sometimes you have to create a session first, but that's easy, the scanning tools today do that for you. I recommend you scan yourslef with GFI Languard Network Scanner- it's free for 30days and will tell you most everything that this person is able to see. That way you'll know where to start fixing.

You need a firewall. I recommend ZoneAlarm for a software solution (the cheapest from my suggestions) and cisco PIX hardware firewall, and almost equally to the PIX a linux box, doesn't have to be very special 333 p3 256ram would be more than enough for a dedicated FW. You also need antivirus software- norton and mcafee are great products. If they do get in, and install trojan software, then you may never know without AV! With a firewall, you can allow ONLY the known good users. and deny everything else. The way you Know them is by IP address. ZoneAlarm will do an excellent job for you in this case. It's easy to use, you practically click everything... it does take some initial work when it's first set up, but all firewalls do. ZoneAlarm can also deny access to applications, it's very useful- please explore it

Failing you being able, or willing to obtain a firewall solution, then you need to restrict anonymous sessions.http://www.securityfocus.com/infocus/1352
Please read that throughly- it's very well said- restrict anonymous 2 might break your ability to connect- please test-

one of your built in friends in windows 2000/xp is the security policy snapin. on the run line type:
expand- local policies
                   highlight "Security options"
restrict anonymous is the first setting, right click it, POLICY, and in the drop down select "do not allow enumeration of SAM accounts and shares" this is restrict anon 1 (2 is no access without explicit...) btw- some tools can by-pass restrict anon1 so experiment with anon2
you may also want to enable "do not display last user name in logon screen" i think it' s the 15th 16th one... (i assume people are Terminal servicing into this box another detail we need;)
also read this (Prevent Windows from Storing a LAN Manager - a weak weak hash- )

you can change the Terminal serivce port, HOWEVER you will have to change a setting on each person's PC that you want to allow in the TS server.
read this:
http://support.microsoft.com/default.aspx?scid=187623  (i do recommend trying it- but if you have someone new come along that needs to connect, be sure you remember to do this for them ;)

Now, windows password hash's suck, I can crack them faster than *nix,bsd,des,3des etc... the algorythim is 20 years old, created by IBM- then in like 98 M$ modified it to be case sensitive, and even that is weak, dictionary attack is a sure bet for most people, and purdue's ftp server has some great list's. John the ripper is the fastest at LanMan and NTLM- l0pht-crack is a windows only application, it hasn't been ported to another OS, windows is slow. Obtaining the SAM database is also pretty easy- espically if your users have ADMIN priv's on that server. if this guy get's in one account, then uses Pwdump3e.exe he'll have the database with all your users in it, along with names. Never give users ADMIN unless they need it. have them use RUNAS and let them know of an account with admin privs. read run-as
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/runas.asp (you can also highlight and icon and hold shift then right click the icon on your desktop to do this)

Security isn't a program, it's a process.... never ever stop saying this :)
I recommend you read the hacking exposed series of books. whew that's a lot of typing.... good luck... google will help you out if my instructions are very detailed enough...

in summary.
Scan yourself   http://www.gfisoftware.com/lannetscan/
also http://www.microsoft.com/downloads/details.aspx?FamilyID=9a88e63b-92e3-4f97-80e7-8bc9ff836742&DisplayLang=en
apply the patches you need,
get a firewall, at the very least an antivirus solution.

lookinto this thread for the strongest passwords ( I agree with Neosporin) alt+255 (users however are not that bright- so not recomended- read carefully and test for yourself- alt+255 can't be passed by very many apps)

wow... GL!

LVL 38

Expert Comment

by:Rich Rumble
ID: 9965179
jesus- forgot a very important one... restrict the registry- go to services- and  stop the "remote registry service" and then set it to disable... very important.

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question