I brought a new nt 4 server online and someone has extracted the usernames and is attempting to access them. I had this happen before on another machine and fixed the problem. I can't remember what the process is called that they are using so I can find the fix though. I have applied all the security updates etc... but I assume there is one more I need. Does anyone know what the process is called. I want to say it had the word anonomous or reverse in it, but my memory is sketchy. The last time I looked at this was two years ago. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
hacker extracting usernames 1
- Thread starter BadDog
- Start date
-
1
- Thread starter
- #2
I found this, and I hope this is what my problem is. If anyone has any thoughts let me know:
Q. How can I restrict access to objects from Anonymous accounts?
A. It is possible to restrict the ability to list domain user names and enumerate share names available to anonymous logon users (also known as NULL session connections). If you feel this is a security risk Service Pack 3 for Windows NT 4.0 introduces a new option to stop anonymous users listing users and shares.
To enable this perform the following:
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
From the Edit menu select New - DWORD value and enter a name of RestrictAnonymous if it does not already exist
Double click the value and set to 1. Click OK
Reboot the computer
Q. How can I restrict access to objects from Anonymous accounts?
A. It is possible to restrict the ability to list domain user names and enumerate share names available to anonymous logon users (also known as NULL session connections). If you feel this is a security risk Service Pack 3 for Windows NT 4.0 introduces a new option to stop anonymous users listing users and shares.
To enable this perform the following:
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
From the Edit menu select New - DWORD value and enter a name of RestrictAnonymous if it does not already exist
Double click the value and set to 1. Click OK
Reboot the computer
Thanks, BadDog.
Starting last Friday my Windows NT 4.0 email server has been locking out accounts due to failed login attempts from unknown servers. The first night they tried to get in it was \\VTSERVER but followup attempts used other names. It's behind a firewall where the only open ports are a few for email purposes.
I'm sure someone's trying to hack in, so I've reduced the number of invalid login attempts from 5 to 3 before it locks out the account.
How they are able to enumerate several of the account names in the Administrative Tools' Users module. Surely they don't pick them blindly out of a hat... Well, I guess your solution answers that question.![[wink]](/data/assets/smilies/wink.gif "[wink] [wink]")
Only now they've already got the user account names!
How much were they able to see on the server?
I read somewhere that Microsoft said "best practices" was to move the powerful utilities such as edit.com, cmd.exe, net.exe, regedit32.exe and others from the WinNT/System32 folder to a uniquely named other folder. Awkward, but better security. Naturally, I can't find that article on their site anymore, so I don't know if that applies to ALL types of servers including email servers or just web servers.![[mad]](/data/assets/smilies/mad.gif "[mad] [mad]")
Any suggestions are welcome!
thread55-842533 close unused ports - done long time ago!
Starting last Friday my Windows NT 4.0 email server has been locking out accounts due to failed login attempts from unknown servers. The first night they tried to get in it was \\VTSERVER but followup attempts used other names. It's behind a firewall where the only open ports are a few for email purposes.
I'm sure someone's trying to hack in, so I've reduced the number of invalid login attempts from 5 to 3 before it locks out the account.
How they are able to enumerate several of the account names in the Administrative Tools' Users module. Surely they don't pick them blindly out of a hat... Well, I guess your solution answers that question.
Only now they've already got the user account names!How much were they able to see on the server?
I read somewhere that Microsoft said "best practices" was to move the powerful utilities such as edit.com, cmd.exe, net.exe, regedit32.exe and others from the WinNT/System32 folder to a uniquely named other folder. Awkward, but better security. Naturally, I can't find that article on their site anymore, so I don't know if that applies to ALL types of servers including email servers or just web servers.
Any suggestions are welcome!thread55-842533 close unused ports - done long time ago!
Here's Microsoft's article describing the Registry change in more detail in KB 143474.
- Thread starter
- #5
I don't think they actually get to see anything but the usernames, so even though they already have the list of usernames they are now limited to a brute force attack on the known names. Since you have set max invalid logon attempts to 3 you should be okay, unless the hacker has unlimited time to pick away at it. I think I set the lockout period for a fairly significant period of time to stretch it out even longer (2 hour lockout). Also, changing the passwords now and then will obviously slow things down a bit. Of course, now that you have the hole plugged you could also change the compromised usernames.
It's been a few days since I created that registry key to stop anonymous identities from enumerating my user accounts. My Windows NT 4.0 servers are still being probed but there are no more hacker cracking attempts against my user accounts. Sure, they're still trying common defaults such as Admin, Administrator, Guest and others, but not my local user accounts. Possibly it's a simple hacker program, otherwise some enterprising hacker would save any discovered user accounts for later attempts.
Lesson 1: Never assume obscure default settings are the "best practices".
Lesson 2: Never assume obscure default settings are the "best practices".
Lesson 3: Never assume obscure default settings are the "best practices".
dbMark
Lesson 1: Never assume obscure default settings are the "best practices".
Lesson 2: Never assume obscure default settings are the "best practices".
Lesson 3: Never assume obscure default settings are the "best practices".
dbMark
- Status
Similar threads
- Locked
- Question