RE: Possible compromise of Windows Server 2003 security risk & unknown

---

• From: "Deephazz" <Deephazz@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 7 Dec 2005 10:30:03 -0800

---

Hello,

I don't know if this could be usefull but I'm posting it anyway ...

- If your Os is not yet updated, update it to SP1
- on Local Policies > Security Options : enable " Do not allow anonymous
enumeration of SAM accounts" and enable " Do not allow anonymous enumeration
of SAM accounts and share" this would prevent some brute force attacks.

Setting account treshold to 5 and lockout duration to 30 minutes could be
good too.
Delet any account that you didn't create.

Although it's commen sense, I hope this could help.

Regards.


"Chris" wrote:

> Hi Everyone,
>
>
>
> I wanted to find out if anybody is aware of how a Windows Server 2003
> Terminal Server out of the box environment can ever become
> compromised/hacked?
>
>
>
> We have recently received a security report stating that the server we are
> running has been performing other tasks, such as the polling of websites,
> and the scanning of other networks also being hosted. Our server is on the
> Internet.
>
>
>
> We noticed in our user list an unknown username named 'tsadmin' had been
> created and was logging in, with full access rights just like an
> administrator, they were also a member of the backup users group, however
> none of us ever recall creating this user. We are careful who we create
> onto the server and never allow them to have a desktop environment.
>
>
>
> Is this a coincidence?
>
>
>
> We have now deleted the tsadmin user.
>
>
>
> If anybody could advise of this, or recommend any additional security checks
> or security logging software then this would be ideal.
>
>
>
> How can we check if our server has been compromised? Do we need to fix
> anything? What can we do to prevent it from happening again.
>
>
>
> We currently use an up to date version of AVG server edition scanner, but if
> anybody knows of a more dedicated server security product this would be
> greatly appreciated.
>
>
>
> Thanking you in advance
>
> Chris
>
>
>
.

---

• References:
  • Possible compromise of Windows Server 2003 security risk & unknown users
    • From: Chris

• Prev by Date: Sharepoint
• Next by Date: Re: When to purchase TS CALS?
• Previous by thread: Possible compromise of Windows Server 2003 security risk & unknown users
• Next by thread: Network flow splitting using "net use" command
• Index(es):
  • Date
  • Thread

---

Relevant Pages security-basics Digest of: get.123_145 ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ... (Security-Basics) << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.backoffice.smallbiz2000) Re: << SBS News of the week - Sept 26 >> ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ... (microsoft.public.backoffice.smallbiz2000) << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.windows.server.sbs) Re: << SBS News of the week - Sept 26 >> ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)