Sign-in / Sign-up
Your question

Apparent NetBIOS Attack - How Dangerous?

Tags:
  • Event Viewer
  • Windows
Last response: in Windows 2000/NT
December 13, 2004 1:29:10 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have been noticing, after checking Windows 2000's Event Viewer's security
protocol, that some individual (from the Internet) is attempting to log into
our computer. The attempts --fortunately all failed, so far-- start
occurring a few minutes after I establish a PPPoE Internet connection, and
cease after some time. When the attacks begin, they occur for several
minutes, sometimes every two or three seconds, sometimes every 10-60
seconds, sometimes just once or twice.

In the Event Viewer, the alerts look like the following one:

The logon to account: <Local account name here>
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: 0WEWCKG1
failed. The error code was: 3221225578

The error type is 681.

Strangely, the individual basically uses every account available in our
system. That is, if we have the accounts Administrator, Peter, Thomas, Jane,
then the user attempts to login with one or more of these accounts. How is
it possible that our full account list is known to someone on the Internet?

As the login attempts occur after packets are sent to local port 137
(NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks still
won't stop. The user still obtains our account list, and the failed logins
still appear on the Event Viewer security protocol.

What can be done in order to remedy this situation? If the subject discovers
the password for one account, would it be possible for him to eventually
"login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
that instance, how much access does he actually have, and how much damage
can he do? In advance, I appreciate any information you can provide.

Regards,

Thomas

More about : apparent netbios attack dangerous

Anonymous
December 13, 2004 1:29:11 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Aside from failing to use a firewall, you possibly do not have policies set
to that you Do not all anonymous enumeration of SAM accounts and shared
This allows a remote to easily list out your account names and groups,
and attracts further effort due the appearance of an easy meal.
The anonymous enumeration settings can be found in the security
setting options of the local security policy, although slightly differently
worded depending on OS version.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Thomas" <email@isin.my.message.com> wrote in message
news:cpira1$hjp$1@ngspool-d02.news.aol.com...
>I have been noticing, after checking Windows 2000's Event Viewer's security
> protocol, that some individual (from the Internet) is attempting to log
> into
> our computer. The attempts --fortunately all failed, so far-- start
> occurring a few minutes after I establish a PPPoE Internet connection, and
> cease after some time. When the attacks begin, they occur for several
> minutes, sometimes every two or three seconds, sometimes every 10-60
> seconds, sometimes just once or twice.
>
> In the Event Viewer, the alerts look like the following one:
>
> The logon to account: <Local account name here>
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: 0WEWCKG1
> failed. The error code was: 3221225578
>
> The error type is 681.
>
> Strangely, the individual basically uses every account available in our
> system. That is, if we have the accounts Administrator, Peter, Thomas,
> Jane,
> then the user attempts to login with one or more of these accounts. How is
> it possible that our full account list is known to someone on the
> Internet?
>
> As the login attempts occur after packets are sent to local port 137
> (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> still
> won't stop. The user still obtains our account list, and the failed logins
> still appear on the Event Viewer security protocol.
>
> What can be done in order to remedy this situation? If the subject
> discovers
> the password for one account, would it be possible for him to eventually
> "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
> that instance, how much access does he actually have, and how much damage
> can he do? In advance, I appreciate any information you can provide.
>
> Regards,
>
> Thomas
>
>
Anonymous
December 13, 2004 6:34:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Are you using a firewall such as a personal firewall or a hardware device -
even a cheap NAT router?? If not, then you need one and yes they could
connect if they discovered a user's password if you do not have a properly
configured firewall. Windows 2000 will still use port 445 TCP for file and
print sharing if NBT is disabled. It is trivial to obtain user accounts and
groups info [not passwords] if you are not using a firewall via a null
session. Go to a site like such as http://scan.sygatetech.com/ to do a self
scan assessment to see if any vulnerabilities are found. I would also make
sure that your computer is current with critical updates from Windows
Updates and is using a virus scan program that can monitor the computer in
live time, is current with virus definition files [they change almost daily]
, and scans all emails. If you have not done so, do a full virus scan on
your computer and also for parasites with AdAware SE as your chance of
infection is high from your description of what is going on. If infections
are found, do not connect to the internet until a firewall is in place and
properly configured. The link below is for free for personal use personal
firewalls such as Zone Alarm that is fairly easy for novices to configure
though I always prefer a hardware device such as a NAT router as the first
line of defense. --- Steve

http://www.microsoft.com/athome/security/protect/defaul... -- Protect
your pc tips.
http://www.snapfiles.com/Freeware/security/fwfirewall.h...
http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
detection and removal tool.
http://www.trendmicro.com/download/pattern.asp -- pattern file for Sysclean
in .zip file.

"Thomas" <email@isin.my.message.com> wrote in message
news:cpira1$hjp$1@ngspool-d02.news.aol.com...
>I have been noticing, after checking Windows 2000's Event Viewer's security
> protocol, that some individual (from the Internet) is attempting to log
> into
> our computer. The attempts --fortunately all failed, so far-- start
> occurring a few minutes after I establish a PPPoE Internet connection, and
> cease after some time. When the attacks begin, they occur for several
> minutes, sometimes every two or three seconds, sometimes every 10-60
> seconds, sometimes just once or twice.
>
> In the Event Viewer, the alerts look like the following one:
>
> The logon to account: <Local account name here>
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: 0WEWCKG1
> failed. The error code was: 3221225578
>
> The error type is 681.
>
> Strangely, the individual basically uses every account available in our
> system. That is, if we have the accounts Administrator, Peter, Thomas,
> Jane,
> then the user attempts to login with one or more of these accounts. How is
> it possible that our full account list is known to someone on the
> Internet?
>
> As the login attempts occur after packets are sent to local port 137
> (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> still
> won't stop. The user still obtains our account list, and the failed logins
> still appear on the Event Viewer security protocol.
>
> What can be done in order to remedy this situation? If the subject
> discovers
> the password for one account, would it be possible for him to eventually
> "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
> that instance, how much access does he actually have, and how much damage
> can he do? In advance, I appreciate any information you can provide.
>
> Regards,
>
> Thomas
>
>
Related resources
Anonymous
December 13, 2004 11:25:59 AM

Archived from groups: microsoft.public.win2000.security (More info?)

.... for more information on how to secure this and what can break at the
various settings, go to www.nsa.gov/snac and download the Windows 2000 group
policy guide, think it's the third document, and search it for
"restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
though it doesn't block all enumeration, just blocks some details from being
seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME or
NT systems, for example. RestrictAnonymous=2 only exists in Windows 2000,
for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both of
which can be either 0 or 1. Search www.google.com for RestrictAnonymousSAM
if you need more information on XP and 2003 settings.

More information on why this happens and what can be seen are at
www.securityfriday.com There is a presentation / article on netbios null
sessions, and the free getacct tool lets you see what the hackers can see.

I concur that it sounds like you have no firewall or a misconfigured
firewall and you should not be surprised that hackers can get into your
domain controllers. Windows is not secure until you secure it.
www.microsoft.com/technet/security, www.nsa.gov/snac and
www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.


"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
> Aside from failing to use a firewall, you possibly do not have policies
set
> to that you Do not all anonymous enumeration of SAM accounts and shared
> This allows a remote to easily list out your account names and groups,
> and attracts further effort due the appearance of an easy meal.
> The anonymous enumeration settings can be found in the security
> setting options of the local security policy, although slightly
differently
> worded depending on OS version.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Thomas" <email@isin.my.message.com> wrote in message
> news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> >I have been noticing, after checking Windows 2000's Event Viewer's
security
> > protocol, that some individual (from the Internet) is attempting to log
> > into
> > our computer. The attempts --fortunately all failed, so far-- start
> > occurring a few minutes after I establish a PPPoE Internet connection,
and
> > cease after some time. When the attacks begin, they occur for several
> > minutes, sometimes every two or three seconds, sometimes every 10-60
> > seconds, sometimes just once or twice.
> >
> > In the Event Viewer, the alerts look like the following one:
> >
> > The logon to account: <Local account name here>
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: 0WEWCKG1
> > failed. The error code was: 3221225578
> >
> > The error type is 681.
> >
> > Strangely, the individual basically uses every account available in our
> > system. That is, if we have the accounts Administrator, Peter, Thomas,
> > Jane,
> > then the user attempts to login with one or more of these accounts. How
is
> > it possible that our full account list is known to someone on the
> > Internet?
> >
> > As the login attempts occur after packets are sent to local port 137
> > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> > still
> > won't stop. The user still obtains our account list, and the failed
logins
> > still appear on the Event Viewer security protocol.
> >
> > What can be done in order to remedy this situation? If the subject
> > discovers
> > the password for one account, would it be possible for him to eventually
> > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
> > that instance, how much access does he actually have, and how much
damage
> > can he do? In advance, I appreciate any information you can provide.
> >
> > Regards,
> >
> > Thomas
> >
> >
>
>
December 13, 2004 6:46:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you for your comments and links. It is interesting to see how much
information (and eventally, access!) others can obtain with NetBIOS.

Fortunately, I finally managed the problem by setting a fixed IPSec policy
to block all incoming and outgoing TCP and UDP packets through all
NetBIOS/SMB-related ports. Since then, I have not noticed any further login
attempts, so it seems that IPSec's 'firewall' is working. I still notice
that the individuals are trying to get the account list, this time without
success.

I will read the NSA security configuration guides. For now, at least, the
NetBIOS problem seeems to be taken care of.

Regards,

Thomas

"Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
news:o vwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
> ... for more information on how to secure this and what can break at the
> various settings, go to www.nsa.gov/snac and download the Windows 2000
group
> policy guide, think it's the third document, and search it for
> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
> though it doesn't block all enumeration, just blocks some details from
being
> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME or
> NT systems, for example. RestrictAnonymous=2 only exists in Windows 2000,
> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both
of
> which can be either 0 or 1. Search www.google.com for
RestrictAnonymousSAM
> if you need more information on XP and 2003 settings.
>
> More information on why this happens and what can be seen are at
> www.securityfriday.com There is a presentation / article on netbios null
> sessions, and the free getacct tool lets you see what the hackers can see.
>
> I concur that it sounds like you have no firewall or a misconfigured
> firewall and you should not be surprised that hackers can get into your
> domain controllers. Windows is not secure until you secure it.
> www.microsoft.com/technet/security, www.nsa.gov/snac and
> www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.
>
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
> > Aside from failing to use a firewall, you possibly do not have policies
> set
> > to that you Do not all anonymous enumeration of SAM accounts and shared
> > This allows a remote to easily list out your account names and groups,
> > and attracts further effort due the appearance of an easy meal.
> > The anonymous enumeration settings can be found in the security
> > setting options of the local security policy, although slightly
> differently
> > worded depending on OS version.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCDBA, MCSE W2k3+W2k+Nt4
> > "Thomas" <email@isin.my.message.com> wrote in message
> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> > >I have been noticing, after checking Windows 2000's Event Viewer's
> security
> > > protocol, that some individual (from the Internet) is attempting to
log
> > > into
> > > our computer. The attempts --fortunately all failed, so far-- start
> > > occurring a few minutes after I establish a PPPoE Internet connection,
> and
> > > cease after some time. When the attacks begin, they occur for several
> > > minutes, sometimes every two or three seconds, sometimes every 10-60
> > > seconds, sometimes just once or twice.
> > >
> > > In the Event Viewer, the alerts look like the following one:
> > >
> > > The logon to account: <Local account name here>
> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > from workstation: 0WEWCKG1
> > > failed. The error code was: 3221225578
> > >
> > > The error type is 681.
> > >
> > > Strangely, the individual basically uses every account available in
our
> > > system. That is, if we have the accounts Administrator, Peter, Thomas,
> > > Jane,
> > > then the user attempts to login with one or more of these accounts.
How
> is
> > > it possible that our full account list is known to someone on the
> > > Internet?
> > >
> > > As the login attempts occur after packets are sent to local port 137
> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> > > still
> > > won't stop. The user still obtains our account list, and the failed
> logins
> > > still appear on the Event Viewer security protocol.
> > >
> > > What can be done in order to remedy this situation? If the subject
> > > discovers
> > > the password for one account, would it be possible for him to
eventually
> > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
In
> > > that instance, how much access does he actually have, and how much
> damage
> > > can he do? In advance, I appreciate any information you can provide.
> > >
> > > Regards,
> > >
> > > Thomas
> > >
> > >
> >
> >
>
>
Anonymous
December 13, 2004 6:46:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
not make stateuful decisions on connection specific information like a
firewall can.

It makes decisions on permit/deny based on filters, not on ports/protocols
and their state.

This is why it is considered "best practice" to use IPsec with a host based
firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to provide
the best of both feature sets. Look for a feature called "Authenticated
Bypass" if you want to know more about the beauty of this approach.




"Thomas" <email@isin.my.message.com> wrote in message
news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
> Thank you for your comments and links. It is interesting to see how much
> information (and eventally, access!) others can obtain with NetBIOS.
>
> Fortunately, I finally managed the problem by setting a fixed IPSec policy
> to block all incoming and outgoing TCP and UDP packets through all
> NetBIOS/SMB-related ports. Since then, I have not noticed any further
> login
> attempts, so it seems that IPSec's 'firewall' is working. I still notice
> that the individuals are trying to get the account list, this time without
> success.
>
> I will read the NSA security configuration guides. For now, at least, the
> NetBIOS problem seeems to be taken care of.
>
> Regards,
>
> Thomas
>
> "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
> news:o vwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
>> ... for more information on how to secure this and what can break at the
>> various settings, go to www.nsa.gov/snac and download the Windows 2000
> group
>> policy guide, think it's the third document, and search it for
>> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
>> though it doesn't block all enumeration, just blocks some details from
> being
>> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
>> or
>> NT systems, for example. RestrictAnonymous=2 only exists in Windows
>> 2000,
>> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both
> of
>> which can be either 0 or 1. Search www.google.com for
> RestrictAnonymousSAM
>> if you need more information on XP and 2003 settings.
>>
>> More information on why this happens and what can be seen are at
>> www.securityfriday.com There is a presentation / article on netbios null
>> sessions, and the free getacct tool lets you see what the hackers can
>> see.
>>
>> I concur that it sounds like you have no firewall or a misconfigured
>> firewall and you should not be surprised that hackers can get into your
>> domain controllers. Windows is not secure until you secure it.
>> www.microsoft.com/technet/security, www.nsa.gov/snac and
>> www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.
>>
>>
>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
>> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
>> > Aside from failing to use a firewall, you possibly do not have policies
>> set
>> > to that you Do not all anonymous enumeration of SAM accounts and shared
>> > This allows a remote to easily list out your account names and groups,
>> > and attracts further effort due the appearance of an easy meal.
>> > The anonymous enumeration settings can be found in the security
>> > setting options of the local security policy, although slightly
>> differently
>> > worded depending on OS version.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Server System: Security)
>> > MCDBA, MCSE W2k3+W2k+Nt4
>> > "Thomas" <email@isin.my.message.com> wrote in message
>> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
>> > >I have been noticing, after checking Windows 2000's Event Viewer's
>> security
>> > > protocol, that some individual (from the Internet) is attempting to
> log
>> > > into
>> > > our computer. The attempts --fortunately all failed, so far-- start
>> > > occurring a few minutes after I establish a PPPoE Internet
>> > > connection,
>> and
>> > > cease after some time. When the attacks begin, they occur for several
>> > > minutes, sometimes every two or three seconds, sometimes every 10-60
>> > > seconds, sometimes just once or twice.
>> > >
>> > > In the Event Viewer, the alerts look like the following one:
>> > >
>> > > The logon to account: <Local account name here>
>> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> > > from workstation: 0WEWCKG1
>> > > failed. The error code was: 3221225578
>> > >
>> > > The error type is 681.
>> > >
>> > > Strangely, the individual basically uses every account available in
> our
>> > > system. That is, if we have the accounts Administrator, Peter,
>> > > Thomas,
>> > > Jane,
>> > > then the user attempts to login with one or more of these accounts.
> How
>> is
>> > > it possible that our full account list is known to someone on the
>> > > Internet?
>> > >
>> > > As the login attempts occur after packets are sent to local port 137
>> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
>> > > still
>> > > won't stop. The user still obtains our account list, and the failed
>> logins
>> > > still appear on the Event Viewer security protocol.
>> > >
>> > > What can be done in order to remedy this situation? If the subject
>> > > discovers
>> > > the password for one account, would it be possible for him to
> eventually
>> > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
> In
>> > > that instance, how much access does he actually have, and how much
>> damage
>> > > can he do? In advance, I appreciate any information you can provide.
>> > >
>> > > Regards,
>> > >
>> > > Thomas
>> > >
>> > >
>> >
>> >
>>
>>
>
>
December 13, 2004 6:53:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you for your reply. That the computer may be infected with some sort
of trojan passed my mind. I performed a full system scan for viruses,
trojans, etc. Fortunately, the scan didn't find anything critical.

It seems like I overestimated Windows 2000's default security. I have since
added some IPSec port filters in order to take care of the NetBIOS problem.

Regards,

Thomas

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> schrieb im Newsbeitrag
news:N48vd.561658$D%.181906@attbi_s51...
> Are you using a firewall such as a personal firewall or a hardware
device -
> even a cheap NAT router?? If not, then you need one and yes they could
> connect if they discovered a user's password if you do not have a properly
> configured firewall. Windows 2000 will still use port 445 TCP for file and
> print sharing if NBT is disabled. It is trivial to obtain user accounts
and
> groups info [not passwords] if you are not using a firewall via a null
> session. Go to a site like such as http://scan.sygatetech.com/ to do a
self
> scan assessment to see if any vulnerabilities are found. I would also make
> sure that your computer is current with critical updates from Windows
> Updates and is using a virus scan program that can monitor the computer in
> live time, is current with virus definition files [they change almost
daily]
> , and scans all emails. If you have not done so, do a full virus scan on
> your computer and also for parasites with AdAware SE as your chance of
> infection is high from your description of what is going on. If infections
> are found, do not connect to the internet until a firewall is in place and
> properly configured. The link below is for free for personal use personal
> firewalls such as Zone Alarm that is fairly easy for novices to configure
> though I always prefer a hardware device such as a NAT router as the first
> line of defense. --- Steve
>
> http://www.microsoft.com/athome/security/protect/defaul... -- Protect
> your pc tips.
> http://www.snapfiles.com/Freeware/security/fwfirewall.h...
> http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
> detection and removal tool.
> http://www.trendmicro.com/download/pattern.asp -- pattern file for
Sysclean
> in .zip file.
>
> "Thomas" <email@isin.my.message.com> wrote in message
> news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> >I have been noticing, after checking Windows 2000's Event Viewer's
security
> > protocol, that some individual (from the Internet) is attempting to log
> > into
> > our computer. The attempts --fortunately all failed, so far-- start
> > occurring a few minutes after I establish a PPPoE Internet connection,
and
> > cease after some time. When the attacks begin, they occur for several
> > minutes, sometimes every two or three seconds, sometimes every 10-60
> > seconds, sometimes just once or twice.
> >
> > In the Event Viewer, the alerts look like the following one:
> >
> > The logon to account: <Local account name here>
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: 0WEWCKG1
> > failed. The error code was: 3221225578
> >
> > The error type is 681.
> >
> > Strangely, the individual basically uses every account available in our
> > system. That is, if we have the accounts Administrator, Peter, Thomas,
> > Jane,
> > then the user attempts to login with one or more of these accounts. How
is
> > it possible that our full account list is known to someone on the
> > Internet?
> >
> > As the login attempts occur after packets are sent to local port 137
> > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> > still
> > won't stop. The user still obtains our account list, and the failed
logins
> > still appear on the Event Viewer security protocol.
> >
> > What can be done in order to remedy this situation? If the subject
> > discovers
> > the password for one account, would it be possible for him to eventually
> > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
> > that instance, how much access does he actually have, and how much
damage
> > can he do? In advance, I appreciate any information you can provide.
> >
> > Regards,
> >
> > Thomas
> >
> >
>
>
December 13, 2004 11:23:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:%23vyECfV4EHA.1396@tk2msftngp13.phx.gbl...

> This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
> not make stateuful decisions on connection specific information like a
> firewall can.

Thank you for clarifying. That is the reason why I used quotation marks for
'firewall'.

> This is why it is considered "best practice" to use IPsec with a host
based
> firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to
provide
> the best of both feature sets. Look for a feature called "Authenticated
> Bypass" if you want to know more about the beauty of this approach.

We currently do not need a firewall for this particular (Windows 2000)
workstation, as it is not connected to the server (which I believe does use
a software firewall). Only NetBIOS ports need to be relatively secure.

Regards,

Thomas

>
>
> "Thomas" <email@isin.my.message.com> wrote in message
> news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
> > Thank you for your comments and links. It is interesting to see how much
> > information (and eventally, access!) others can obtain with NetBIOS.
> >
> > Fortunately, I finally managed the problem by setting a fixed IPSec
policy
> > to block all incoming and outgoing TCP and UDP packets through all
> > NetBIOS/SMB-related ports. Since then, I have not noticed any further
> > login
> > attempts, so it seems that IPSec's 'firewall' is working. I still notice
> > that the individuals are trying to get the account list, this time
without
> > success.
> >
> > I will read the NSA security configuration guides. For now, at least,
the
> > NetBIOS problem seeems to be taken care of.
> >
> > Regards,
> >
> > Thomas
> >
> > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
> > news:o vwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
> >> ... for more information on how to secure this and what can break at
the
> >> various settings, go to www.nsa.gov/snac and download the Windows 2000
> > group
> >> policy guide, think it's the third document, and search it for
> >> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually
safe,
> >> though it doesn't block all enumeration, just blocks some details from
> > being
> >> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
> >> or
> >> NT systems, for example. RestrictAnonymous=2 only exists in Windows
> >> 2000,
> >> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM,
both
> > of
> >> which can be either 0 or 1. Search www.google.com for
> > RestrictAnonymousSAM
> >> if you need more information on XP and 2003 settings.
> >>
> >> More information on why this happens and what can be seen are at
> >> www.securityfriday.com There is a presentation / article on netbios
null
> >> sessions, and the free getacct tool lets you see what the hackers can
> >> see.
> >>
> >> I concur that it sounds like you have no firewall or a misconfigured
> >> firewall and you should not be surprised that hackers can get into your
> >> domain controllers. Windows is not secure until you secure it.
> >> www.microsoft.com/technet/security, www.nsa.gov/snac and
> >> www.securityadmin.info/faq.asp#harden have hardening guides for Win
2000.
> >>
> >>
> >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> >> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
> >> > Aside from failing to use a firewall, you possibly do not have
policies
> >> set
> >> > to that you Do not all anonymous enumeration of SAM accounts and
shared
> >> > This allows a remote to easily list out your account names and
groups,
> >> > and attracts further effort due the appearance of an easy meal.
> >> > The anonymous enumeration settings can be found in the security
> >> > setting options of the local security policy, although slightly
> >> differently
> >> > worded depending on OS version.
> >> >
> >> > --
> >> > Roger Abell
> >> > Microsoft MVP (Windows Server System: Security)
> >> > MCDBA, MCSE W2k3+W2k+Nt4
> >> > "Thomas" <email@isin.my.message.com> wrote in message
> >> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> >> > >I have been noticing, after checking Windows 2000's Event Viewer's
> >> security
> >> > > protocol, that some individual (from the Internet) is attempting to
> > log
> >> > > into
> >> > > our computer. The attempts --fortunately all failed, so far-- start
> >> > > occurring a few minutes after I establish a PPPoE Internet
> >> > > connection,
> >> and
> >> > > cease after some time. When the attacks begin, they occur for
several
> >> > > minutes, sometimes every two or three seconds, sometimes every
10-60
> >> > > seconds, sometimes just once or twice.
> >> > >
> >> > > In the Event Viewer, the alerts look like the following one:
> >> > >
> >> > > The logon to account: <Local account name here>
> >> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> > > from workstation: 0WEWCKG1
> >> > > failed. The error code was: 3221225578
> >> > >
> >> > > The error type is 681.
> >> > >
> >> > > Strangely, the individual basically uses every account available in
> > our
> >> > > system. That is, if we have the accounts Administrator, Peter,
> >> > > Thomas,
> >> > > Jane,
> >> > > then the user attempts to login with one or more of these accounts.
> > How
> >> is
> >> > > it possible that our full account list is known to someone on the
> >> > > Internet?
> >> > >
> >> > > As the login attempts occur after packets are sent to local port
137
> >> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login
attacks
> >> > > still
> >> > > won't stop. The user still obtains our account list, and the failed
> >> logins
> >> > > still appear on the Event Viewer security protocol.
> >> > >
> >> > > What can be done in order to remedy this situation? If the subject
> >> > > discovers
> >> > > the password for one account, would it be possible for him to
> > eventually
> >> > > "login" successfully, in spite of NetBIOS over TCP/IP being
disabled?
> > In
> >> > > that instance, how much access does he actually have, and how much
> >> damage
> >> > > can he do? In advance, I appreciate any information you can
provide.
> >> > >
> >> > > Regards,
> >> > >
> >> > > Thomas
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
December 14, 2004 3:43:32 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Windows 2000 does not have a built in firewall like Windows 2003 does and
can be very vulnerable when connected directly to the internet. Ipsec is a
good stop gap measure. If you are not using file and print sharing on that
particular computer [or at least on an external adapter] it would be wise to
disable it, at least on adapters that do not use it. Another possibility is
to enable tcp/ip filtering for TCP only with no ports listed if that
computer does not need to be accessed in any way. Tcp/ip filtering for TCP
is stateful, but UDP is not and dns client will fail to resolve names. Glad
to here you have made steps to secure the computer. --- Steve


"Thomas" <email@isin.my.message.com> wrote in message
news:cpkoh0$mdb$1@ngspool-d02.news.aol.com...
> Thank you for your reply. That the computer may be infected with some sort
> of trojan passed my mind. I performed a full system scan for viruses,
> trojans, etc. Fortunately, the scan didn't find anything critical.
>
> It seems like I overestimated Windows 2000's default security. I have
> since
> added some IPSec port filters in order to take care of the NetBIOS
> problem.
>
> Regards,
>
> Thomas
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> schrieb im
> Newsbeitrag
> news:N48vd.561658$D%.181906@attbi_s51...
>> Are you using a firewall such as a personal firewall or a hardware
> device -
>> even a cheap NAT router?? If not, then you need one and yes they could
>> connect if they discovered a user's password if you do not have a
>> properly
>> configured firewall. Windows 2000 will still use port 445 TCP for file
>> and
>> print sharing if NBT is disabled. It is trivial to obtain user accounts
> and
>> groups info [not passwords] if you are not using a firewall via a null
>> session. Go to a site like such as http://scan.sygatetech.com/ to do a
> self
>> scan assessment to see if any vulnerabilities are found. I would also
>> make
>> sure that your computer is current with critical updates from Windows
>> Updates and is using a virus scan program that can monitor the computer
>> in
>> live time, is current with virus definition files [they change almost
> daily]
>> , and scans all emails. If you have not done so, do a full virus scan on
>> your computer and also for parasites with AdAware SE as your chance of
>> infection is high from your description of what is going on. If
>> infections
>> are found, do not connect to the internet until a firewall is in place
>> and
>> properly configured. The link below is for free for personal use personal
>> firewalls such as Zone Alarm that is fairly easy for novices to configure
>> though I always prefer a hardware device such as a NAT router as the
>> first
>> line of defense. --- Steve
>>
>> http://www.microsoft.com/athome/security/protect/defaul... --
>> Protect
>> your pc tips.
>> http://www.snapfiles.com/Freeware/security/fwfirewall.h...
>> http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
>> detection and removal tool.
>> http://www.trendmicro.com/download/pattern.asp -- pattern file for
> Sysclean
>> in .zip file.
>>
>> "Thomas" <email@isin.my.message.com> wrote in message
>> news:cpira1$hjp$1@ngspool-d02.news.aol.com...
>> >I have been noticing, after checking Windows 2000's Event Viewer's
> security
>> > protocol, that some individual (from the Internet) is attempting to log
>> > into
>> > our computer. The attempts --fortunately all failed, so far-- start
>> > occurring a few minutes after I establish a PPPoE Internet connection,
> and
>> > cease after some time. When the attacks begin, they occur for several
>> > minutes, sometimes every two or three seconds, sometimes every 10-60
>> > seconds, sometimes just once or twice.
>> >
>> > In the Event Viewer, the alerts look like the following one:
>> >
>> > The logon to account: <Local account name here>
>> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> > from workstation: 0WEWCKG1
>> > failed. The error code was: 3221225578
>> >
>> > The error type is 681.
>> >
>> > Strangely, the individual basically uses every account available in our
>> > system. That is, if we have the accounts Administrator, Peter, Thomas,
>> > Jane,
>> > then the user attempts to login with one or more of these accounts. How
> is
>> > it possible that our full account list is known to someone on the
>> > Internet?
>> >
>> > As the login attempts occur after packets are sent to local port 137
>> > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
>> > still
>> > won't stop. The user still obtains our account list, and the failed
> logins
>> > still appear on the Event Viewer security protocol.
>> >
>> > What can be done in order to remedy this situation? If the subject
>> > discovers
>> > the password for one account, would it be possible for him to
>> > eventually
>> > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
>> > In
>> > that instance, how much access does he actually have, and how much
> damage
>> > can he do? In advance, I appreciate any information you can provide.
>> >
>> > Regards,
>> >
>> > Thomas
>> >
>> >
>>
>>
>
>
Anonymous
December 14, 2004 5:59:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

IPSec filtering is a good move.
If this Win 2000 client does not need to share anything, disable "File and
Printer Sharing", "Server" and "Computer Browser" NT Services.

This will stop UDP 138 from being propagating, which in turn prevents
NetBIOS info (computer name / services, user name, etc.) from being
advertised.

As long as some form of Internet connectivity is needed, a good personal
firewall (stateful, application, ect.) should be a standard on each client
machine in today's hostile environment.



"Thomas" wrote:

> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:%23vyECfV4EHA.1396@tk2msftngp13.phx.gbl...
>
> > This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
> > not make stateuful decisions on connection specific information like a
> > firewall can.
>
> Thank you for clarifying. That is the reason why I used quotation marks for
> 'firewall'.
>
> > This is why it is considered "best practice" to use IPsec with a host
> based
> > firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to
> provide
> > the best of both feature sets. Look for a feature called "Authenticated
> > Bypass" if you want to know more about the beauty of this approach.
>
> We currently do not need a firewall for this particular (Windows 2000)
> workstation, as it is not connected to the server (which I believe does use
> a software firewall). Only NetBIOS ports need to be relatively secure.
>
> Regards,
>
> Thomas
>
> >
> >
> > "Thomas" <email@isin.my.message.com> wrote in message
> > news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
> > > Thank you for your comments and links. It is interesting to see how much
> > > information (and eventally, access!) others can obtain with NetBIOS.
> > >
> > > Fortunately, I finally managed the problem by setting a fixed IPSec
> policy
> > > to block all incoming and outgoing TCP and UDP packets through all
> > > NetBIOS/SMB-related ports. Since then, I have not noticed any further
> > > login
> > > attempts, so it seems that IPSec's 'firewall' is working. I still notice
> > > that the individuals are trying to get the account list, this time
> without
> > > success.
> > >
> > > I will read the NSA security configuration guides. For now, at least,
> the
> > > NetBIOS problem seeems to be taken care of.
> > >
> > > Regards,
> > >
> > > Thomas
> > >
> > > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
> > > news:o vwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
> > >> ... for more information on how to secure this and what can break at
> the
> > >> various settings, go to www.nsa.gov/snac and download the Windows 2000
> > > group
> > >> policy guide, think it's the third document, and search it for
> > >> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually
> safe,
> > >> though it doesn't block all enumeration, just blocks some details from
> > > being
> > >> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
> > >> or
> > >> NT systems, for example. RestrictAnonymous=2 only exists in Windows
> > >> 2000,
> > >> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM,
> both
> > > of
> > >> which can be either 0 or 1. Search www.google.com for
> > > RestrictAnonymousSAM
> > >> if you need more information on XP and 2003 settings.
> > >>
> > >> More information on why this happens and what can be seen are at
> > >> www.securityfriday.com There is a presentation / article on netbios
> null
> > >> sessions, and the free getacct tool lets you see what the hackers can
> > >> see.
> > >>
> > >> I concur that it sounds like you have no firewall or a misconfigured
> > >> firewall and you should not be surprised that hackers can get into your
> > >> domain controllers. Windows is not secure until you secure it.
> > >> www.microsoft.com/technet/security, www.nsa.gov/snac and
> > >> www.securityadmin.info/faq.asp#harden have hardening guides for Win
> 2000.
> > >>
> > >>
> > >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > >> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
> > >> > Aside from failing to use a firewall, you possibly do not have
> policies
> > >> set
> > >> > to that you Do not all anonymous enumeration of SAM accounts and
> shared
> > >> > This allows a remote to easily list out your account names and
> groups,
> > >> > and attracts further effort due the appearance of an easy meal.
> > >> > The anonymous enumeration settings can be found in the security
> > >> > setting options of the local security policy, although slightly
> > >> differently
> > >> > worded depending on OS version.
> > >> >
> > >> > --
> > >> > Roger Abell
> > >> > Microsoft MVP (Windows Server System: Security)
> > >> > MCDBA, MCSE W2k3+W2k+Nt4
> > >> > "Thomas" <email@isin.my.message.com> wrote in message
> > >> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> > >> > >I have been noticing, after checking Windows 2000's Event Viewer's
> > >> security
> > >> > > protocol, that some individual (from the Internet) is attempting to
> > > log
> > >> > > into
> > >> > > our computer. The attempts --fortunately all failed, so far-- start
> > >> > > occurring a few minutes after I establish a PPPoE Internet
> > >> > > connection,
> > >> and
> > >> > > cease after some time. When the attacks begin, they occur for
> several
> > >> > > minutes, sometimes every two or three seconds, sometimes every
> 10-60
> > >> > > seconds, sometimes just once or twice.
> > >> > >
> > >> > > In the Event Viewer, the alerts look like the following one:
> > >> > >
> > >> > > The logon to account: <Local account name here>
> > >> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > >> > > from workstation: 0WEWCKG1
> > >> > > failed. The error code was: 3221225578
> > >> > >
> > >> > > The error type is 681.
> > >> > >
> > >> > > Strangely, the individual basically uses every account available in
> > > our
> > >> > > system. That is, if we have the accounts Administrator, Peter,
> > >> > > Thomas,
> > >> > > Jane,
> > >> > > then the user attempts to login with one or more of these accounts.
> > > How
> > >> is
> > >> > > it possible that our full account list is known to someone on the
> > >> > > Internet?
> > >> > >
> > >> > > As the login attempts occur after packets are sent to local port
> 137
> > >> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login
> attacks
> > >> > > still
> > >> > > won't stop. The user still obtains our account list, and the failed
> > >> logins
> > >> > > still appear on the Event Viewer security protocol.
> > >> > >
> > >> > > What can be done in order to remedy this situation? If the subject
> > >> > > discovers
> > >> > > the password for one account, would it be possible for him to
> > > eventually
> > >> > > "login" successfully, in spite of NetBIOS over TCP/IP being
> disabled?
> > > In
> > >> > > that instance, how much access does he actually have, and how much
> > >> damage
> > >> > > can he do? In advance, I appreciate any information you can
> provide.
> > >> > >
> > >> > > Regards,
> > >> > >
> > >> > > Thomas
> > >> > >
> > >> > >
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
>
Anonymous
December 15, 2004 10:54:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Thomas" <email@isin.my.message.com> wrote in message
news:cpl8au$4i6$1@ngspool-d02.news.aol.com...

> We currently do not need a firewall for this particular (Windows 2000)
> workstation, as it is not connected to the server (which I believe does
use
> a software firewall). Only NetBIOS ports need to be relatively secure.

FYI there is a default registry value you *absolutely* need to change on
Windows 2000 to make IPSec filtering secure. It's mentioned in the IPsec
guide at www.nsa.gov/snac Without this setting, by default anyone can
bypass your IPsec filters by using a certain source port. Windows 2003
Server has this setting configured securely by default. I think XP IPsec is
configured securely by default, but I'm not 100% sure.
Anonymous
December 15, 2004 6:14:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Tinfoil hat securely fastened, Thomas pounded the keyboard to produce
> t is interesting to see how much
> information (and eventally, access!) others can obtain with NetBIOS.
>
>
It's not NetBIOS that is the problem in this case; it is the allowing of null
connections (which provide backward compatibility with NT4, in case you're
wondering why Microsoft has them set up that way).

Laura
--
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety.
-- Benjamin Franklin
Anonymous
December 15, 2004 6:17:26 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Tinfoil hat securely fastened, Thomas pounded the keyboard to produce
> I appreciate any information you can provide.
>
>
In addition to the other responses, take a look at this:

http://www.hammerofgod.com/download/Mullen-RA.ppt

and the UserDump and UserInfo utilities here:

http://www.hammerofgod.com/download.htm

Laura
--
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety.
-- Benjamin Franklin