Archived from groups: microsoft.public.win2000.security (
More info?)
IPSec filtering is a good move.
If this Win 2000 client does not need to share anything, disable "File and
Printer Sharing", "Server" and "Computer Browser" NT Services.
This will stop UDP 138 from being propagating, which in turn prevents
NetBIOS info (computer name / services, user name, etc.) from being
advertised.
As long as some form of Internet connectivity is needed, a good personal
firewall (stateful, application, ect.) should be a standard on each client
machine in today's hostile environment.
"Thomas" wrote:
> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:%23vyECfV4EHA.1396@tk2msftngp13.phx.gbl...
>
> > This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
> > not make stateuful decisions on connection specific information like a
> > firewall can.
>
> Thank you for clarifying. That is the reason why I used quotation marks for
> 'firewall'.
>
> > This is why it is considered "best practice" to use IPsec with a host
> based
> > firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to
> provide
> > the best of both feature sets. Look for a feature called "Authenticated
> > Bypass" if you want to know more about the beauty of this approach.
>
> We currently do not need a firewall for this particular (Windows 2000)
> workstation, as it is not connected to the server (which I believe does use
> a software firewall). Only NetBIOS ports need to be relatively secure.
>
> Regards,
>
> Thomas
>
> >
> >
> > "Thomas" <email@isin.my.message.com> wrote in message
> > news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
> > > Thank you for your comments and links. It is interesting to see how much
> > > information (and eventally, access!) others can obtain with NetBIOS.
> > >
> > > Fortunately, I finally managed the problem by setting a fixed IPSec
> policy
> > > to block all incoming and outgoing TCP and UDP packets through all
> > > NetBIOS/SMB-related ports. Since then, I have not noticed any further
> > > login
> > > attempts, so it seems that IPSec's 'firewall' is working. I still notice
> > > that the individuals are trying to get the account list, this time
> without
> > > success.
> > >
> > > I will read the NSA security configuration guides. For now, at least,
> the
> > > NetBIOS problem seeems to be taken care of.
> > >
> > > Regards,
> > >
> > > Thomas
> > >
> > > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
> > > news:OvwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
> > >> ... for more information on how to secure this and what can break at
> the
> > >> various settings, go to www.nsa.gov/snac and download the Windows 2000
> > > group
> > >> policy guide, think it's the third document, and search it for
> > >> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually
> safe,
> > >> though it doesn't block all enumeration, just blocks some details from
> > > being
> > >> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
> > >> or
> > >> NT systems, for example. RestrictAnonymous=2 only exists in Windows
> > >> 2000,
> > >> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM,
> both
> > > of
> > >> which can be either 0 or 1. Search www.google.com for
> > > RestrictAnonymousSAM
> > >> if you need more information on XP and 2003 settings.
> > >>
> > >> More information on why this happens and what can be seen are at
> > >> www.securityfriday.com There is a presentation / article on netbios
> null
> > >> sessions, and the free getacct tool lets you see what the hackers can
> > >> see.
> > >>
> > >> I concur that it sounds like you have no firewall or a misconfigured
> > >> firewall and you should not be surprised that hackers can get into your
> > >> domain controllers. Windows is not secure until you secure it.
> > >> www.microsoft.com/technet/security, www.nsa.gov/snac and
> > >> www.securityadmin.info/faq.asp#harden have hardening guides for Win
> 2000.
> > >>
> > >>
> > >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > >> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
> > >> > Aside from failing to use a firewall, you possibly do not have
> policies
> > >> set
> > >> > to that you Do not all anonymous enumeration of SAM accounts and
> shared
> > >> > This allows a remote to easily list out your account names and
> groups,
> > >> > and attracts further effort due the appearance of an easy meal.
> > >> > The anonymous enumeration settings can be found in the security
> > >> > setting options of the local security policy, although slightly
> > >> differently
> > >> > worded depending on OS version.
> > >> >
> > >> > --
> > >> > Roger Abell
> > >> > Microsoft MVP (Windows Server System: Security)
> > >> > MCDBA, MCSE W2k3+W2k+Nt4
> > >> > "Thomas" <email@isin.my.message.com> wrote in message
> > >> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> > >> > >I have been noticing, after checking Windows 2000's Event Viewer's
> > >> security
> > >> > > protocol, that some individual (from the Internet) is attempting to
> > > log
> > >> > > into
> > >> > > our computer. The attempts --fortunately all failed, so far-- start
> > >> > > occurring a few minutes after I establish a PPPoE Internet
> > >> > > connection,
> > >> and
> > >> > > cease after some time. When the attacks begin, they occur for
> several
> > >> > > minutes, sometimes every two or three seconds, sometimes every
> 10-60
> > >> > > seconds, sometimes just once or twice.
> > >> > >
> > >> > > In the Event Viewer, the alerts look like the following one:
> > >> > >
> > >> > > The logon to account: <Local account name here>
> > >> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > >> > > from workstation: 0WEWCKG1
> > >> > > failed. The error code was: 3221225578
> > >> > >
> > >> > > The error type is 681.
> > >> > >
> > >> > > Strangely, the individual basically uses every account available in
> > > our
> > >> > > system. That is, if we have the accounts Administrator, Peter,
> > >> > > Thomas,
> > >> > > Jane,
> > >> > > then the user attempts to login with one or more of these accounts.
> > > How
> > >> is
> > >> > > it possible that our full account list is known to someone on the
> > >> > > Internet?
> > >> > >
> > >> > > As the login attempts occur after packets are sent to local port
> 137
> > >> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login
> attacks
> > >> > > still
> > >> > > won't stop. The user still obtains our account list, and the failed
> > >> logins
> > >> > > still appear on the Event Viewer security protocol.
> > >> > >
> > >> > > What can be done in order to remedy this situation? If the subject
> > >> > > discovers
> > >> > > the password for one account, would it be possible for him to
> > > eventually
> > >> > > "login" successfully, in spite of NetBIOS over TCP/IP being
> disabled?
> > > In
> > >> > > that instance, how much access does he actually have, and how much
> > >> damage
> > >> > > can he do? In advance, I appreciate any information you can
> provide.
> > >> > >
> > >> > > Regards,
> > >> > >
> > >> > > Thomas
> > >> > >
> > >> > >
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
>
Facebook
Twitter
Instagram