Re: Security Question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "cjobes" <cjobes@xxxxxxxxxxxxx>
• Date: Sun, 12 Nov 2006 01:58:29 -0500

---

You assume right.

--
Claus
"kj" <kj@xxxxxxxxxxx> wrote in message
news:eHshFciBHHA.4740@xxxxxxxxxxxxxxxxxxxxxxx

Assuming SSL on OWA and RWW, but otherwise I've not heard of anything else
you should be concerned about.

--
/kj
"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:OgQXi%23hBHHA.3836@xxxxxxxxxxxxxxxxxxxxxxx

thanks, will give that a try. I just want to understand this and see if I
left a hole somewhere. Only the standard ports are open (SMTP,OWA,RWW and
3389 as a backdoor for us in case RWW dies).

--
Claus
"kj" <kj@xxxxxxxxxxx> wrote in message
news:eva%23wwSBHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx

I just can't think of a way that someone could, with certainty, determine
the renamed administrator account, without authenticated ldap access on
std 2003. Assuming of course there are no ports open to the outside
besides those required for SMTP, OWA, and RWW, and no unfiltered VPN.

Maybe try the windows.server.security group might have some other ideas?

--
/kj
"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:OwXT5YRBHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx

thanks kj,

I keep a very tight monitoring and there is nothing from inside users
that I can track down. Also, the users there are not very sophisticated
and wouldn't know how to do this. It must have been from the outside.
I'm looking at renaming. I need to first go through the documentation
to see where the admin is used. I hate breaking things and spend the
weekend fixing them. I rather know first what I'm getting into. *G* I
captured two different IP addresses connected with those hack attempts
and I contacted the respective ISPs. Let's see what they come back
with - if any. Most of them are not very responsive if they are not in
the USA.

--
Claus
"kj" <kj@xxxxxxxxxxx> wrote in message
news:e9VsvJQBHHA.3560@xxxxxxxxxxxxxxxxxxxxxxx

No I don't mean the break-in attempt, only the determining the name of
the renamed administrator account "from within".
Any unfiltered VPN connections?

Your diligence in monitoring to detect the attempts and password
strengths are a tribute. (Good job!)

Now that you are on guard, perhaps change it again and see if they
re-target to the new name. You might get a clue how they got it if you
are the prowl when they do it again.

--
/kj
"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:ejsJS$PBHHA.3560@xxxxxxxxxxxxxxxxxxxxxxx

kj,

Thanks for the additional comments. This client Trend SCM running.
It's very unlikely that there is software on one of the user stations
that would do that. This has come from the outside. They also haven't
gotten is because the password is quite complex. But given that this
was the first time I came across this I was curious how they got the
username in the first place.

--
Claus
"kj" <kj@xxxxxxxxxxx> wrote in message
news:%23msZdRPBHHA.204@xxxxxxxxxxxxxxxxxxxxxxx

A simple ldap query will return the administrator account, but in
Windows 2003 AD "anonymous" ldap queries aren't allowed. However, a
logged in user with no other special privileges can easily determine
the name of the Administrator account. While a typical user isn't
going to know how to do this (or care probably), spyware/malware or
such could easily do this under the user credentials. As Les said
this "obscurity" measure isn't a significant security layer for a
determined intruder.

That said, I'm not aware of any spyware that has been found to do
this, but it is certainly possible.

--
/kj
"Les Connor [SBS Community Member - SBS MVP]"
<les.connor@xxxxxxxxxxxx> wrote in message
news:%23hIktUOBHHA.3928@xxxxxxxxxxxxxxxxxxxxxxx

SMTP tar pit feature for Microsoft Windows Server 2003

http://support.microsoft.com/kb/842851

Getting a valid email address is one thing; the planets would have
to be aligned with the stars for someone to get a valid username
from an AD harvest, but if the email address is <name>@domain.com
and the user account is <name>, then it's a no brainer.

I see quite a few installs like this - I don't really like it but
it's because of defaults. Customizing user account and email
address generation is an obscurity measure, not effective against a
black hat but keeps the dabblers moving on.

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and
I'll understand." - Confucius


"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:uEgA%23KJBHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx

Les,

Can you elaborate a bit more on this?

--
Claus
"Les Connor [SBS Community Member - SBS MVP]"
<les.connor@xxxxxxxxxxxx> wrote in message
news:eMtbFTIBHHA.1220@xxxxxxxxxxxxxxxxxxxxxxx

From an AD harvest? If AD filter is on, this is one of the
caveats - hence the use of tarpitting for mitigation.

--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me
and I'll understand." - Confucius


"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:%23I2lDv0AHHA.144@xxxxxxxxxxxxxxxxxxxxxxx

Hi all,

A first for me, so I would like to get some feedback from other
admins.

As a standard, we always change the Administrator account name
to something else. For the first time we had a breakin attempt
at one of our clients (SBS2003/ISA2004) that was using the
correct renamed admin account name. Now, the password is pretty
complex but I still don't like the fact that 50% of the
safeguard is out there. Does anybody have an idea how an outside
hacker would be able to obtain that username?

--
Claus

.

---

• References:
  • Security Question
    • From: cjobes
  • Re: Security Question
    • From: Les Connor [SBS Community Member - SBS MVP]
  • Re: Security Question
    • From: cjobes
  • Re: Security Question
    • From: Les Connor [SBS Community Member - SBS MVP]
  • Re: Security Question
    • From: kj
  • Re: Security Question
    • From: cjobes
  • Re: Security Question
    • From: kj
  • Re: Security Question
    • From: cjobes
  • Re: Security Question
    • From: kj
  • Re: Security Question
    • From: cjobes
  • Re: Security Question
    • From: kj

• Prev by Date: Re: Super strange Networking issue. (Careful, its a long story)
• Next by Date: Re: Backup to SAMBA, SBS backup Wizard fails, NTbackup.exe works
• Previous by thread: Re: Security Question
• Next by thread: Re: Security Question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Errors After Changing Administrator Password ... > Thank you for posting to the SBS Newsgroup. ... to find it in DCOM_CONFIG though (this occurs on the SBS machine). ... How did you change the Domain Administrator account? ... I logged into the server, opened Server Management, selected the ... (microsoft.public.windows.server.sbs) Re: Security Question ... I keep a very tight monitoring and there is nothing from inside users that I ... renamed administrator account "from within". ... Les Connor [SBS Community Member - SBS MVP] ... (microsoft.public.windows.server.sbs) Re: Security Question ... Assuming SSL on OWA and RWW, but otherwise I've not heard of anything else ... the renamed administrator account "from within". ... Les Connor [SBS Community Member - SBS MVP] ... As a standard, we always change the Administrator account name to ... (microsoft.public.windows.server.sbs) Re: Security Question ... Only the standard ports are open (SMTP,OWA,RWW and ... the renamed administrator account "from within". ... Les Connor [SBS Community Member - SBS MVP] ... (microsoft.public.windows.server.sbs) Re: Security Question ... renamed administrator account "from within". ... Les Connor [SBS Community Member - SBS MVP] ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-11