Apparent NetBIOS Attack - How Dangerous?

Archived from groups: microsoft.public.win2000.security (More info?)

I have been noticing, after checking Windows 2000's Event Viewer's security
protocol, that some individual (from the Internet) is attempting to log into
our computer. The attempts --fortunately all failed, so far-- start
occurring a few minutes after I establish a PPPoE Internet connection, and
cease after some time. When the attacks begin, they occur for several
minutes, sometimes every two or three seconds, sometimes every 10-60
seconds, sometimes just once or twice.

In the Event Viewer, the alerts look like the following one:

The logon to account: <Local account name here>
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: 0WEWCKG1
failed. The error code was: 3221225578

The error type is 681.

Strangely, the individual basically uses every account available in our
system. That is, if we have the accounts Administrator, Peter, Thomas, Jane,
then the user attempts to login with one or more of these accounts. How is
it possible that our full account list is known to someone on the Internet?

As the login attempts occur after packets are sent to local port 137
(NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks still
won't stop. The user still obtains our account list, and the failed logins
still appear on the Event Viewer security protocol.

What can be done in order to remedy this situation? If the subject discovers
the password for one account, would it be possible for him to eventually
"login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
that instance, how much access does he actually have, and how much damage
can he do? In advance, I appreciate any information you can provide.

Regards,

Thomas
12 answers Last reply
More about apparent netbios attack dangerous
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Aside from failing to use a firewall, you possibly do not have policies set
    to that you Do not all anonymous enumeration of SAM accounts and shared
    This allows a remote to easily list out your account names and groups,
    and attracts further effort due the appearance of an easy meal.
    The anonymous enumeration settings can be found in the security
    setting options of the local security policy, although slightly differently
    worded depending on OS version.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "Thomas" <email@isin.my.message.com> wrote in message
    news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    >I have been noticing, after checking Windows 2000's Event Viewer's security
    > protocol, that some individual (from the Internet) is attempting to log
    > into
    > our computer. The attempts --fortunately all failed, so far-- start
    > occurring a few minutes after I establish a PPPoE Internet connection, and
    > cease after some time. When the attacks begin, they occur for several
    > minutes, sometimes every two or three seconds, sometimes every 10-60
    > seconds, sometimes just once or twice.
    >
    > In the Event Viewer, the alerts look like the following one:
    >
    > The logon to account: <Local account name here>
    > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > from workstation: 0WEWCKG1
    > failed. The error code was: 3221225578
    >
    > The error type is 681.
    >
    > Strangely, the individual basically uses every account available in our
    > system. That is, if we have the accounts Administrator, Peter, Thomas,
    > Jane,
    > then the user attempts to login with one or more of these accounts. How is
    > it possible that our full account list is known to someone on the
    > Internet?
    >
    > As the login attempts occur after packets are sent to local port 137
    > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    > still
    > won't stop. The user still obtains our account list, and the failed logins
    > still appear on the Event Viewer security protocol.
    >
    > What can be done in order to remedy this situation? If the subject
    > discovers
    > the password for one account, would it be possible for him to eventually
    > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
    > that instance, how much access does he actually have, and how much damage
    > can he do? In advance, I appreciate any information you can provide.
    >
    > Regards,
    >
    > Thomas
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Are you using a firewall such as a personal firewall or a hardware device -
    even a cheap NAT router?? If not, then you need one and yes they could
    connect if they discovered a user's password if you do not have a properly
    configured firewall. Windows 2000 will still use port 445 TCP for file and
    print sharing if NBT is disabled. It is trivial to obtain user accounts and
    groups info [not passwords] if you are not using a firewall via a null
    session. Go to a site like such as http://scan.sygatetech.com/ to do a self
    scan assessment to see if any vulnerabilities are found. I would also make
    sure that your computer is current with critical updates from Windows
    Updates and is using a virus scan program that can monitor the computer in
    live time, is current with virus definition files [they change almost daily]
    , and scans all emails. If you have not done so, do a full virus scan on
    your computer and also for parasites with AdAware SE as your chance of
    infection is high from your description of what is going on. If infections
    are found, do not connect to the internet until a firewall is in place and
    properly configured. The link below is for free for personal use personal
    firewalls such as Zone Alarm that is fairly easy for novices to configure
    though I always prefer a hardware device such as a NAT router as the first
    line of defense. --- Steve

    http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
    your pc tips.
    http://www.snapfiles.com/Freeware/security/fwfirewall.html
    http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
    detection and removal tool.
    http://www.trendmicro.com/download/pattern.asp -- pattern file for Sysclean
    in .zip file.

    "Thomas" <email@isin.my.message.com> wrote in message
    news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    >I have been noticing, after checking Windows 2000's Event Viewer's security
    > protocol, that some individual (from the Internet) is attempting to log
    > into
    > our computer. The attempts --fortunately all failed, so far-- start
    > occurring a few minutes after I establish a PPPoE Internet connection, and
    > cease after some time. When the attacks begin, they occur for several
    > minutes, sometimes every two or three seconds, sometimes every 10-60
    > seconds, sometimes just once or twice.
    >
    > In the Event Viewer, the alerts look like the following one:
    >
    > The logon to account: <Local account name here>
    > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > from workstation: 0WEWCKG1
    > failed. The error code was: 3221225578
    >
    > The error type is 681.
    >
    > Strangely, the individual basically uses every account available in our
    > system. That is, if we have the accounts Administrator, Peter, Thomas,
    > Jane,
    > then the user attempts to login with one or more of these accounts. How is
    > it possible that our full account list is known to someone on the
    > Internet?
    >
    > As the login attempts occur after packets are sent to local port 137
    > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    > still
    > won't stop. The user still obtains our account list, and the failed logins
    > still appear on the Event Viewer security protocol.
    >
    > What can be done in order to remedy this situation? If the subject
    > discovers
    > the password for one account, would it be possible for him to eventually
    > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
    > that instance, how much access does he actually have, and how much damage
    > can he do? In advance, I appreciate any information you can provide.
    >
    > Regards,
    >
    > Thomas
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    .... for more information on how to secure this and what can break at the
    various settings, go to www.nsa.gov/snac and download the Windows 2000 group
    policy guide, think it's the third document, and search it for
    "restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
    though it doesn't block all enumeration, just blocks some details from being
    seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME or
    NT systems, for example. RestrictAnonymous=2 only exists in Windows 2000,
    for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both of
    which can be either 0 or 1. Search www.google.com for RestrictAnonymousSAM
    if you need more information on XP and 2003 settings.

    More information on why this happens and what can be seen are at
    www.securityfriday.com There is a presentation / article on netbios null
    sessions, and the free getacct tool lets you see what the hackers can see.

    I concur that it sounds like you have no firewall or a misconfigured
    firewall and you should not be surprised that hackers can get into your
    domain controllers. Windows is not secure until you secure it.
    www.microsoft.com/technet/security, www.nsa.gov/snac and
    www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.


    "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
    > Aside from failing to use a firewall, you possibly do not have policies
    set
    > to that you Do not all anonymous enumeration of SAM accounts and shared
    > This allows a remote to easily list out your account names and groups,
    > and attracts further effort due the appearance of an easy meal.
    > The anonymous enumeration settings can be found in the security
    > setting options of the local security policy, although slightly
    differently
    > worded depending on OS version.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCDBA, MCSE W2k3+W2k+Nt4
    > "Thomas" <email@isin.my.message.com> wrote in message
    > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    > >I have been noticing, after checking Windows 2000's Event Viewer's
    security
    > > protocol, that some individual (from the Internet) is attempting to log
    > > into
    > > our computer. The attempts --fortunately all failed, so far-- start
    > > occurring a few minutes after I establish a PPPoE Internet connection,
    and
    > > cease after some time. When the attacks begin, they occur for several
    > > minutes, sometimes every two or three seconds, sometimes every 10-60
    > > seconds, sometimes just once or twice.
    > >
    > > In the Event Viewer, the alerts look like the following one:
    > >
    > > The logon to account: <Local account name here>
    > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > > from workstation: 0WEWCKG1
    > > failed. The error code was: 3221225578
    > >
    > > The error type is 681.
    > >
    > > Strangely, the individual basically uses every account available in our
    > > system. That is, if we have the accounts Administrator, Peter, Thomas,
    > > Jane,
    > > then the user attempts to login with one or more of these accounts. How
    is
    > > it possible that our full account list is known to someone on the
    > > Internet?
    > >
    > > As the login attempts occur after packets are sent to local port 137
    > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    > > still
    > > won't stop. The user still obtains our account list, and the failed
    logins
    > > still appear on the Event Viewer security protocol.
    > >
    > > What can be done in order to remedy this situation? If the subject
    > > discovers
    > > the password for one account, would it be possible for him to eventually
    > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
    > > that instance, how much access does he actually have, and how much
    damage
    > > can he do? In advance, I appreciate any information you can provide.
    > >
    > > Regards,
    > >
    > > Thomas
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you for your comments and links. It is interesting to see how much
    information (and eventally, access!) others can obtain with NetBIOS.

    Fortunately, I finally managed the problem by setting a fixed IPSec policy
    to block all incoming and outgoing TCP and UDP packets through all
    NetBIOS/SMB-related ports. Since then, I have not noticed any further login
    attempts, so it seems that IPSec's 'firewall' is working. I still notice
    that the individuals are trying to get the account list, this time without
    success.

    I will read the NSA security configuration guides. For now, at least, the
    NetBIOS problem seeems to be taken care of.

    Regards,

    Thomas

    "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
    news:OvwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
    > ... for more information on how to secure this and what can break at the
    > various settings, go to www.nsa.gov/snac and download the Windows 2000
    group
    > policy guide, think it's the third document, and search it for
    > "restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
    > though it doesn't block all enumeration, just blocks some details from
    being
    > seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME or
    > NT systems, for example. RestrictAnonymous=2 only exists in Windows 2000,
    > for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both
    of
    > which can be either 0 or 1. Search www.google.com for
    RestrictAnonymousSAM
    > if you need more information on XP and 2003 settings.
    >
    > More information on why this happens and what can be seen are at
    > www.securityfriday.com There is a presentation / article on netbios null
    > sessions, and the free getacct tool lets you see what the hackers can see.
    >
    > I concur that it sounds like you have no firewall or a misconfigured
    > firewall and you should not be surprised that hackers can get into your
    > domain controllers. Windows is not secure until you secure it.
    > www.microsoft.com/technet/security, www.nsa.gov/snac and
    > www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.
    >
    >
    > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    > news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
    > > Aside from failing to use a firewall, you possibly do not have policies
    > set
    > > to that you Do not all anonymous enumeration of SAM accounts and shared
    > > This allows a remote to easily list out your account names and groups,
    > > and attracts further effort due the appearance of an easy meal.
    > > The anonymous enumeration settings can be found in the security
    > > setting options of the local security policy, although slightly
    > differently
    > > worded depending on OS version.
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Server System: Security)
    > > MCDBA, MCSE W2k3+W2k+Nt4
    > > "Thomas" <email@isin.my.message.com> wrote in message
    > > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    > > >I have been noticing, after checking Windows 2000's Event Viewer's
    > security
    > > > protocol, that some individual (from the Internet) is attempting to
    log
    > > > into
    > > > our computer. The attempts --fortunately all failed, so far-- start
    > > > occurring a few minutes after I establish a PPPoE Internet connection,
    > and
    > > > cease after some time. When the attacks begin, they occur for several
    > > > minutes, sometimes every two or three seconds, sometimes every 10-60
    > > > seconds, sometimes just once or twice.
    > > >
    > > > In the Event Viewer, the alerts look like the following one:
    > > >
    > > > The logon to account: <Local account name here>
    > > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > > > from workstation: 0WEWCKG1
    > > > failed. The error code was: 3221225578
    > > >
    > > > The error type is 681.
    > > >
    > > > Strangely, the individual basically uses every account available in
    our
    > > > system. That is, if we have the accounts Administrator, Peter, Thomas,
    > > > Jane,
    > > > then the user attempts to login with one or more of these accounts.
    How
    > is
    > > > it possible that our full account list is known to someone on the
    > > > Internet?
    > > >
    > > > As the login attempts occur after packets are sent to local port 137
    > > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    > > > still
    > > > won't stop. The user still obtains our account list, and the failed
    > logins
    > > > still appear on the Event Viewer security protocol.
    > > >
    > > > What can be done in order to remedy this situation? If the subject
    > > > discovers
    > > > the password for one account, would it be possible for him to
    eventually
    > > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
    In
    > > > that instance, how much access does he actually have, and how much
    > damage
    > > > can he do? In advance, I appreciate any information you can provide.
    > > >
    > > > Regards,
    > > >
    > > > Thomas
    > > >
    > > >
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
    not make stateuful decisions on connection specific information like a
    firewall can.

    It makes decisions on permit/deny based on filters, not on ports/protocols
    and their state.

    This is why it is considered "best practice" to use IPsec with a host based
    firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to provide
    the best of both feature sets. Look for a feature called "Authenticated
    Bypass" if you want to know more about the beauty of this approach.


    "Thomas" <email@isin.my.message.com> wrote in message
    news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
    > Thank you for your comments and links. It is interesting to see how much
    > information (and eventally, access!) others can obtain with NetBIOS.
    >
    > Fortunately, I finally managed the problem by setting a fixed IPSec policy
    > to block all incoming and outgoing TCP and UDP packets through all
    > NetBIOS/SMB-related ports. Since then, I have not noticed any further
    > login
    > attempts, so it seems that IPSec's 'firewall' is working. I still notice
    > that the individuals are trying to get the account list, this time without
    > success.
    >
    > I will read the NSA security configuration guides. For now, at least, the
    > NetBIOS problem seeems to be taken care of.
    >
    > Regards,
    >
    > Thomas
    >
    > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
    > news:OvwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
    >> ... for more information on how to secure this and what can break at the
    >> various settings, go to www.nsa.gov/snac and download the Windows 2000
    > group
    >> policy guide, think it's the third document, and search it for
    >> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
    >> though it doesn't block all enumeration, just blocks some details from
    > being
    >> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
    >> or
    >> NT systems, for example. RestrictAnonymous=2 only exists in Windows
    >> 2000,
    >> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both
    > of
    >> which can be either 0 or 1. Search www.google.com for
    > RestrictAnonymousSAM
    >> if you need more information on XP and 2003 settings.
    >>
    >> More information on why this happens and what can be seen are at
    >> www.securityfriday.com There is a presentation / article on netbios null
    >> sessions, and the free getacct tool lets you see what the hackers can
    >> see.
    >>
    >> I concur that it sounds like you have no firewall or a misconfigured
    >> firewall and you should not be surprised that hackers can get into your
    >> domain controllers. Windows is not secure until you secure it.
    >> www.microsoft.com/technet/security, www.nsa.gov/snac and
    >> www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.
    >>
    >>
    >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    >> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
    >> > Aside from failing to use a firewall, you possibly do not have policies
    >> set
    >> > to that you Do not all anonymous enumeration of SAM accounts and shared
    >> > This allows a remote to easily list out your account names and groups,
    >> > and attracts further effort due the appearance of an easy meal.
    >> > The anonymous enumeration settings can be found in the security
    >> > setting options of the local security policy, although slightly
    >> differently
    >> > worded depending on OS version.
    >> >
    >> > --
    >> > Roger Abell
    >> > Microsoft MVP (Windows Server System: Security)
    >> > MCDBA, MCSE W2k3+W2k+Nt4
    >> > "Thomas" <email@isin.my.message.com> wrote in message
    >> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    >> > >I have been noticing, after checking Windows 2000's Event Viewer's
    >> security
    >> > > protocol, that some individual (from the Internet) is attempting to
    > log
    >> > > into
    >> > > our computer. The attempts --fortunately all failed, so far-- start
    >> > > occurring a few minutes after I establish a PPPoE Internet
    >> > > connection,
    >> and
    >> > > cease after some time. When the attacks begin, they occur for several
    >> > > minutes, sometimes every two or three seconds, sometimes every 10-60
    >> > > seconds, sometimes just once or twice.
    >> > >
    >> > > In the Event Viewer, the alerts look like the following one:
    >> > >
    >> > > The logon to account: <Local account name here>
    >> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >> > > from workstation: 0WEWCKG1
    >> > > failed. The error code was: 3221225578
    >> > >
    >> > > The error type is 681.
    >> > >
    >> > > Strangely, the individual basically uses every account available in
    > our
    >> > > system. That is, if we have the accounts Administrator, Peter,
    >> > > Thomas,
    >> > > Jane,
    >> > > then the user attempts to login with one or more of these accounts.
    > How
    >> is
    >> > > it possible that our full account list is known to someone on the
    >> > > Internet?
    >> > >
    >> > > As the login attempts occur after packets are sent to local port 137
    >> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    >> > > still
    >> > > won't stop. The user still obtains our account list, and the failed
    >> logins
    >> > > still appear on the Event Viewer security protocol.
    >> > >
    >> > > What can be done in order to remedy this situation? If the subject
    >> > > discovers
    >> > > the password for one account, would it be possible for him to
    > eventually
    >> > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
    > In
    >> > > that instance, how much access does he actually have, and how much
    >> damage
    >> > > can he do? In advance, I appreciate any information you can provide.
    >> > >
    >> > > Regards,
    >> > >
    >> > > Thomas
    >> > >
    >> > >
    >> >
    >> >
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you for your reply. That the computer may be infected with some sort
    of trojan passed my mind. I performed a full system scan for viruses,
    trojans, etc. Fortunately, the scan didn't find anything critical.

    It seems like I overestimated Windows 2000's default security. I have since
    added some IPSec port filters in order to take care of the NetBIOS problem.

    Regards,

    Thomas

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> schrieb im Newsbeitrag
    news:N48vd.561658$D%.181906@attbi_s51...
    > Are you using a firewall such as a personal firewall or a hardware
    device -
    > even a cheap NAT router?? If not, then you need one and yes they could
    > connect if they discovered a user's password if you do not have a properly
    > configured firewall. Windows 2000 will still use port 445 TCP for file and
    > print sharing if NBT is disabled. It is trivial to obtain user accounts
    and
    > groups info [not passwords] if you are not using a firewall via a null
    > session. Go to a site like such as http://scan.sygatetech.com/ to do a
    self
    > scan assessment to see if any vulnerabilities are found. I would also make
    > sure that your computer is current with critical updates from Windows
    > Updates and is using a virus scan program that can monitor the computer in
    > live time, is current with virus definition files [they change almost
    daily]
    > , and scans all emails. If you have not done so, do a full virus scan on
    > your computer and also for parasites with AdAware SE as your chance of
    > infection is high from your description of what is going on. If infections
    > are found, do not connect to the internet until a firewall is in place and
    > properly configured. The link below is for free for personal use personal
    > firewalls such as Zone Alarm that is fairly easy for novices to configure
    > though I always prefer a hardware device such as a NAT router as the first
    > line of defense. --- Steve
    >
    > http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
    > your pc tips.
    > http://www.snapfiles.com/Freeware/security/fwfirewall.html
    > http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
    > detection and removal tool.
    > http://www.trendmicro.com/download/pattern.asp -- pattern file for
    Sysclean
    > in .zip file.
    >
    > "Thomas" <email@isin.my.message.com> wrote in message
    > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    > >I have been noticing, after checking Windows 2000's Event Viewer's
    security
    > > protocol, that some individual (from the Internet) is attempting to log
    > > into
    > > our computer. The attempts --fortunately all failed, so far-- start
    > > occurring a few minutes after I establish a PPPoE Internet connection,
    and
    > > cease after some time. When the attacks begin, they occur for several
    > > minutes, sometimes every two or three seconds, sometimes every 10-60
    > > seconds, sometimes just once or twice.
    > >
    > > In the Event Viewer, the alerts look like the following one:
    > >
    > > The logon to account: <Local account name here>
    > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > > from workstation: 0WEWCKG1
    > > failed. The error code was: 3221225578
    > >
    > > The error type is 681.
    > >
    > > Strangely, the individual basically uses every account available in our
    > > system. That is, if we have the accounts Administrator, Peter, Thomas,
    > > Jane,
    > > then the user attempts to login with one or more of these accounts. How
    is
    > > it possible that our full account list is known to someone on the
    > > Internet?
    > >
    > > As the login attempts occur after packets are sent to local port 137
    > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    > > still
    > > won't stop. The user still obtains our account list, and the failed
    logins
    > > still appear on the Event Viewer security protocol.
    > >
    > > What can be done in order to remedy this situation? If the subject
    > > discovers
    > > the password for one account, would it be possible for him to eventually
    > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
    > > that instance, how much access does he actually have, and how much
    damage
    > > can he do? In advance, I appreciate any information you can provide.
    > >
    > > Regards,
    > >
    > > Thomas
    > >
    > >
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    news:%23vyECfV4EHA.1396@tk2msftngp13.phx.gbl...

    > This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
    > not make stateuful decisions on connection specific information like a
    > firewall can.

    Thank you for clarifying. That is the reason why I used quotation marks for
    'firewall'.

    > This is why it is considered "best practice" to use IPsec with a host
    based
    > firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to
    provide
    > the best of both feature sets. Look for a feature called "Authenticated
    > Bypass" if you want to know more about the beauty of this approach.

    We currently do not need a firewall for this particular (Windows 2000)
    workstation, as it is not connected to the server (which I believe does use
    a software firewall). Only NetBIOS ports need to be relatively secure.

    Regards,

    Thomas

    >
    >
    > "Thomas" <email@isin.my.message.com> wrote in message
    > news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
    > > Thank you for your comments and links. It is interesting to see how much
    > > information (and eventally, access!) others can obtain with NetBIOS.
    > >
    > > Fortunately, I finally managed the problem by setting a fixed IPSec
    policy
    > > to block all incoming and outgoing TCP and UDP packets through all
    > > NetBIOS/SMB-related ports. Since then, I have not noticed any further
    > > login
    > > attempts, so it seems that IPSec's 'firewall' is working. I still notice
    > > that the individuals are trying to get the account list, this time
    without
    > > success.
    > >
    > > I will read the NSA security configuration guides. For now, at least,
    the
    > > NetBIOS problem seeems to be taken care of.
    > >
    > > Regards,
    > >
    > > Thomas
    > >
    > > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
    > > news:OvwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
    > >> ... for more information on how to secure this and what can break at
    the
    > >> various settings, go to www.nsa.gov/snac and download the Windows 2000
    > > group
    > >> policy guide, think it's the third document, and search it for
    > >> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually
    safe,
    > >> though it doesn't block all enumeration, just blocks some details from
    > > being
    > >> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
    > >> or
    > >> NT systems, for example. RestrictAnonymous=2 only exists in Windows
    > >> 2000,
    > >> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM,
    both
    > > of
    > >> which can be either 0 or 1. Search www.google.com for
    > > RestrictAnonymousSAM
    > >> if you need more information on XP and 2003 settings.
    > >>
    > >> More information on why this happens and what can be seen are at
    > >> www.securityfriday.com There is a presentation / article on netbios
    null
    > >> sessions, and the free getacct tool lets you see what the hackers can
    > >> see.
    > >>
    > >> I concur that it sounds like you have no firewall or a misconfigured
    > >> firewall and you should not be surprised that hackers can get into your
    > >> domain controllers. Windows is not secure until you secure it.
    > >> www.microsoft.com/technet/security, www.nsa.gov/snac and
    > >> www.securityadmin.info/faq.asp#harden have hardening guides for Win
    2000.
    > >>
    > >>
    > >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    > >> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
    > >> > Aside from failing to use a firewall, you possibly do not have
    policies
    > >> set
    > >> > to that you Do not all anonymous enumeration of SAM accounts and
    shared
    > >> > This allows a remote to easily list out your account names and
    groups,
    > >> > and attracts further effort due the appearance of an easy meal.
    > >> > The anonymous enumeration settings can be found in the security
    > >> > setting options of the local security policy, although slightly
    > >> differently
    > >> > worded depending on OS version.
    > >> >
    > >> > --
    > >> > Roger Abell
    > >> > Microsoft MVP (Windows Server System: Security)
    > >> > MCDBA, MCSE W2k3+W2k+Nt4
    > >> > "Thomas" <email@isin.my.message.com> wrote in message
    > >> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    > >> > >I have been noticing, after checking Windows 2000's Event Viewer's
    > >> security
    > >> > > protocol, that some individual (from the Internet) is attempting to
    > > log
    > >> > > into
    > >> > > our computer. The attempts --fortunately all failed, so far-- start
    > >> > > occurring a few minutes after I establish a PPPoE Internet
    > >> > > connection,
    > >> and
    > >> > > cease after some time. When the attacks begin, they occur for
    several
    > >> > > minutes, sometimes every two or three seconds, sometimes every
    10-60
    > >> > > seconds, sometimes just once or twice.
    > >> > >
    > >> > > In the Event Viewer, the alerts look like the following one:
    > >> > >
    > >> > > The logon to account: <Local account name here>
    > >> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > >> > > from workstation: 0WEWCKG1
    > >> > > failed. The error code was: 3221225578
    > >> > >
    > >> > > The error type is 681.
    > >> > >
    > >> > > Strangely, the individual basically uses every account available in
    > > our
    > >> > > system. That is, if we have the accounts Administrator, Peter,
    > >> > > Thomas,
    > >> > > Jane,
    > >> > > then the user attempts to login with one or more of these accounts.
    > > How
    > >> is
    > >> > > it possible that our full account list is known to someone on the
    > >> > > Internet?
    > >> > >
    > >> > > As the login attempts occur after packets are sent to local port
    137
    > >> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login
    attacks
    > >> > > still
    > >> > > won't stop. The user still obtains our account list, and the failed
    > >> logins
    > >> > > still appear on the Event Viewer security protocol.
    > >> > >
    > >> > > What can be done in order to remedy this situation? If the subject
    > >> > > discovers
    > >> > > the password for one account, would it be possible for him to
    > > eventually
    > >> > > "login" successfully, in spite of NetBIOS over TCP/IP being
    disabled?
    > > In
    > >> > > that instance, how much access does he actually have, and how much
    > >> damage
    > >> > > can he do? In advance, I appreciate any information you can
    provide.
    > >> > >
    > >> > > Regards,
    > >> > >
    > >> > > Thomas
    > >> > >
    > >> > >
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Windows 2000 does not have a built in firewall like Windows 2003 does and
    can be very vulnerable when connected directly to the internet. Ipsec is a
    good stop gap measure. If you are not using file and print sharing on that
    particular computer [or at least on an external adapter] it would be wise to
    disable it, at least on adapters that do not use it. Another possibility is
    to enable tcp/ip filtering for TCP only with no ports listed if that
    computer does not need to be accessed in any way. Tcp/ip filtering for TCP
    is stateful, but UDP is not and dns client will fail to resolve names. Glad
    to here you have made steps to secure the computer. --- Steve


    "Thomas" <email@isin.my.message.com> wrote in message
    news:cpkoh0$mdb$1@ngspool-d02.news.aol.com...
    > Thank you for your reply. That the computer may be infected with some sort
    > of trojan passed my mind. I performed a full system scan for viruses,
    > trojans, etc. Fortunately, the scan didn't find anything critical.
    >
    > It seems like I overestimated Windows 2000's default security. I have
    > since
    > added some IPSec port filters in order to take care of the NetBIOS
    > problem.
    >
    > Regards,
    >
    > Thomas
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> schrieb im
    > Newsbeitrag
    > news:N48vd.561658$D%.181906@attbi_s51...
    >> Are you using a firewall such as a personal firewall or a hardware
    > device -
    >> even a cheap NAT router?? If not, then you need one and yes they could
    >> connect if they discovered a user's password if you do not have a
    >> properly
    >> configured firewall. Windows 2000 will still use port 445 TCP for file
    >> and
    >> print sharing if NBT is disabled. It is trivial to obtain user accounts
    > and
    >> groups info [not passwords] if you are not using a firewall via a null
    >> session. Go to a site like such as http://scan.sygatetech.com/ to do a
    > self
    >> scan assessment to see if any vulnerabilities are found. I would also
    >> make
    >> sure that your computer is current with critical updates from Windows
    >> Updates and is using a virus scan program that can monitor the computer
    >> in
    >> live time, is current with virus definition files [they change almost
    > daily]
    >> , and scans all emails. If you have not done so, do a full virus scan on
    >> your computer and also for parasites with AdAware SE as your chance of
    >> infection is high from your description of what is going on. If
    >> infections
    >> are found, do not connect to the internet until a firewall is in place
    >> and
    >> properly configured. The link below is for free for personal use personal
    >> firewalls such as Zone Alarm that is fairly easy for novices to configure
    >> though I always prefer a hardware device such as a NAT router as the
    >> first
    >> line of defense. --- Steve
    >>
    >> http://www.microsoft.com/athome/security/protect/default.aspx --
    >> Protect
    >> your pc tips.
    >> http://www.snapfiles.com/Freeware/security/fwfirewall.html
    >> http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
    >> detection and removal tool.
    >> http://www.trendmicro.com/download/pattern.asp -- pattern file for
    > Sysclean
    >> in .zip file.
    >>
    >> "Thomas" <email@isin.my.message.com> wrote in message
    >> news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    >> >I have been noticing, after checking Windows 2000's Event Viewer's
    > security
    >> > protocol, that some individual (from the Internet) is attempting to log
    >> > into
    >> > our computer. The attempts --fortunately all failed, so far-- start
    >> > occurring a few minutes after I establish a PPPoE Internet connection,
    > and
    >> > cease after some time. When the attacks begin, they occur for several
    >> > minutes, sometimes every two or three seconds, sometimes every 10-60
    >> > seconds, sometimes just once or twice.
    >> >
    >> > In the Event Viewer, the alerts look like the following one:
    >> >
    >> > The logon to account: <Local account name here>
    >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >> > from workstation: 0WEWCKG1
    >> > failed. The error code was: 3221225578
    >> >
    >> > The error type is 681.
    >> >
    >> > Strangely, the individual basically uses every account available in our
    >> > system. That is, if we have the accounts Administrator, Peter, Thomas,
    >> > Jane,
    >> > then the user attempts to login with one or more of these accounts. How
    > is
    >> > it possible that our full account list is known to someone on the
    >> > Internet?
    >> >
    >> > As the login attempts occur after packets are sent to local port 137
    >> > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
    >> > still
    >> > won't stop. The user still obtains our account list, and the failed
    > logins
    >> > still appear on the Event Viewer security protocol.
    >> >
    >> > What can be done in order to remedy this situation? If the subject
    >> > discovers
    >> > the password for one account, would it be possible for him to
    >> > eventually
    >> > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
    >> > In
    >> > that instance, how much access does he actually have, and how much
    > damage
    >> > can he do? In advance, I appreciate any information you can provide.
    >> >
    >> > Regards,
    >> >
    >> > Thomas
    >> >
    >> >
    >>
    >>
    >
    >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    IPSec filtering is a good move.
    If this Win 2000 client does not need to share anything, disable "File and
    Printer Sharing", "Server" and "Computer Browser" NT Services.

    This will stop UDP 138 from being propagating, which in turn prevents
    NetBIOS info (computer name / services, user name, etc.) from being
    advertised.

    As long as some form of Internet connectivity is needed, a good personal
    firewall (stateful, application, ect.) should be a standard on each client
    machine in today's hostile environment.


    "Thomas" wrote:

    > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    > news:%23vyECfV4EHA.1396@tk2msftngp13.phx.gbl...
    >
    > > This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
    > > not make stateuful decisions on connection specific information like a
    > > firewall can.
    >
    > Thank you for clarifying. That is the reason why I used quotation marks for
    > 'firewall'.
    >
    > > This is why it is considered "best practice" to use IPsec with a host
    > based
    > > firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to
    > provide
    > > the best of both feature sets. Look for a feature called "Authenticated
    > > Bypass" if you want to know more about the beauty of this approach.
    >
    > We currently do not need a firewall for this particular (Windows 2000)
    > workstation, as it is not connected to the server (which I believe does use
    > a software firewall). Only NetBIOS ports need to be relatively secure.
    >
    > Regards,
    >
    > Thomas
    >
    > >
    > >
    > > "Thomas" <email@isin.my.message.com> wrote in message
    > > news:cpko3t$lvl$1@ngspool-d02.news.aol.com...
    > > > Thank you for your comments and links. It is interesting to see how much
    > > > information (and eventally, access!) others can obtain with NetBIOS.
    > > >
    > > > Fortunately, I finally managed the problem by setting a fixed IPSec
    > policy
    > > > to block all incoming and outgoing TCP and UDP packets through all
    > > > NetBIOS/SMB-related ports. Since then, I have not noticed any further
    > > > login
    > > > attempts, so it seems that IPSec's 'firewall' is working. I still notice
    > > > that the individuals are trying to get the account list, this time
    > without
    > > > success.
    > > >
    > > > I will read the NSA security configuration guides. For now, at least,
    > the
    > > > NetBIOS problem seeems to be taken care of.
    > > >
    > > > Regards,
    > > >
    > > > Thomas
    > > >
    > > > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
    > > > news:OvwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
    > > >> ... for more information on how to secure this and what can break at
    > the
    > > >> various settings, go to www.nsa.gov/snac and download the Windows 2000
    > > > group
    > > >> policy guide, think it's the third document, and search it for
    > > >> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually
    > safe,
    > > >> though it doesn't block all enumeration, just blocks some details from
    > > > being
    > > >> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME
    > > >> or
    > > >> NT systems, for example. RestrictAnonymous=2 only exists in Windows
    > > >> 2000,
    > > >> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM,
    > both
    > > > of
    > > >> which can be either 0 or 1. Search www.google.com for
    > > > RestrictAnonymousSAM
    > > >> if you need more information on XP and 2003 settings.
    > > >>
    > > >> More information on why this happens and what can be seen are at
    > > >> www.securityfriday.com There is a presentation / article on netbios
    > null
    > > >> sessions, and the free getacct tool lets you see what the hackers can
    > > >> see.
    > > >>
    > > >> I concur that it sounds like you have no firewall or a misconfigured
    > > >> firewall and you should not be surprised that hackers can get into your
    > > >> domain controllers. Windows is not secure until you secure it.
    > > >> www.microsoft.com/technet/security, www.nsa.gov/snac and
    > > >> www.securityadmin.info/faq.asp#harden have hardening guides for Win
    > 2000.
    > > >>
    > > >>
    > > >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    > > >> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
    > > >> > Aside from failing to use a firewall, you possibly do not have
    > policies
    > > >> set
    > > >> > to that you Do not all anonymous enumeration of SAM accounts and
    > shared
    > > >> > This allows a remote to easily list out your account names and
    > groups,
    > > >> > and attracts further effort due the appearance of an easy meal.
    > > >> > The anonymous enumeration settings can be found in the security
    > > >> > setting options of the local security policy, although slightly
    > > >> differently
    > > >> > worded depending on OS version.
    > > >> >
    > > >> > --
    > > >> > Roger Abell
    > > >> > Microsoft MVP (Windows Server System: Security)
    > > >> > MCDBA, MCSE W2k3+W2k+Nt4
    > > >> > "Thomas" <email@isin.my.message.com> wrote in message
    > > >> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
    > > >> > >I have been noticing, after checking Windows 2000's Event Viewer's
    > > >> security
    > > >> > > protocol, that some individual (from the Internet) is attempting to
    > > > log
    > > >> > > into
    > > >> > > our computer. The attempts --fortunately all failed, so far-- start
    > > >> > > occurring a few minutes after I establish a PPPoE Internet
    > > >> > > connection,
    > > >> and
    > > >> > > cease after some time. When the attacks begin, they occur for
    > several
    > > >> > > minutes, sometimes every two or three seconds, sometimes every
    > 10-60
    > > >> > > seconds, sometimes just once or twice.
    > > >> > >
    > > >> > > In the Event Viewer, the alerts look like the following one:
    > > >> > >
    > > >> > > The logon to account: <Local account name here>
    > > >> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > > >> > > from workstation: 0WEWCKG1
    > > >> > > failed. The error code was: 3221225578
    > > >> > >
    > > >> > > The error type is 681.
    > > >> > >
    > > >> > > Strangely, the individual basically uses every account available in
    > > > our
    > > >> > > system. That is, if we have the accounts Administrator, Peter,
    > > >> > > Thomas,
    > > >> > > Jane,
    > > >> > > then the user attempts to login with one or more of these accounts.
    > > > How
    > > >> is
    > > >> > > it possible that our full account list is known to someone on the
    > > >> > > Internet?
    > > >> > >
    > > >> > > As the login attempts occur after packets are sent to local port
    > 137
    > > >> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login
    > attacks
    > > >> > > still
    > > >> > > won't stop. The user still obtains our account list, and the failed
    > > >> logins
    > > >> > > still appear on the Event Viewer security protocol.
    > > >> > >
    > > >> > > What can be done in order to remedy this situation? If the subject
    > > >> > > discovers
    > > >> > > the password for one account, would it be possible for him to
    > > > eventually
    > > >> > > "login" successfully, in spite of NetBIOS over TCP/IP being
    > disabled?
    > > > In
    > > >> > > that instance, how much access does he actually have, and how much
    > > >> damage
    > > >> > > can he do? In advance, I appreciate any information you can
    > provide.
    > > >> > >
    > > >> > > Regards,
    > > >> > >
    > > >> > > Thomas
    > > >> > >
    > > >> > >
    > > >> >
    > > >> >
    > > >>
    > > >>
    > > >
    > > >
    > >
    > >
    >
    >
    >
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    "Thomas" <email@isin.my.message.com> wrote in message
    news:cpl8au$4i6$1@ngspool-d02.news.aol.com...

    > We currently do not need a firewall for this particular (Windows 2000)
    > workstation, as it is not connected to the server (which I believe does
    use
    > a software firewall). Only NetBIOS ports need to be relatively secure.

    FYI there is a default registry value you *absolutely* need to change on
    Windows 2000 to make IPSec filtering secure. It's mentioned in the IPsec
    guide at www.nsa.gov/snac Without this setting, by default anyone can
    bypass your IPsec filters by using a certain source port. Windows 2003
    Server has this setting configured securely by default. I think XP IPsec is
    configured securely by default, but I'm not 100% sure.
  11. Archived from groups: microsoft.public.win2000.security (More info?)

    Tinfoil hat securely fastened, Thomas pounded the keyboard to produce
    > t is interesting to see how much
    > information (and eventally, access!) others can obtain with NetBIOS.
    >
    >
    It's not NetBIOS that is the problem in this case; it is the allowing of null
    connections (which provide backward compatibility with NT4, in case you're
    wondering why Microsoft has them set up that way).

    Laura
    --
    They that can give up essential liberty to obtain a little temporary safety
    deserve neither liberty nor safety.
    -- Benjamin Franklin
  12. Archived from groups: microsoft.public.win2000.security (More info?)

    Tinfoil hat securely fastened, Thomas pounded the keyboard to produce
    > I appreciate any information you can provide.
    >
    >
    In addition to the other responses, take a look at this:

    http://www.hammerofgod.com/download/Mullen-RA.ppt

    and the UserDump and UserInfo utilities here:

    http://www.hammerofgod.com/download.htm

    Laura
    --
    They that can give up essential liberty to obtain a little temporary safety
    deserve neither liberty nor safety.
    -- Benjamin Franklin
Ask a new question

Read More

Event Viewer Windows