Re: Process running under Adminstrator account

Lanwench,

You mentioned the well-known SID issue in a reply to someone on 9/1/07 in
this same newsgroup ("Tracing a break-in attempt"). I asked some more
questions, but they got missed, so here they are again.

I did not realize the SID was all that was needed (or is it?). However,
let's say one has a terminal server with 3389 open to the Internet (I know a
VPN first or firewall authentication first would help). How does the hacker
try to get into the TS? Don't they just start with "administrator" and a
dictionary or other attack? In that case, would not the changing of the
admin name help?

How does the "well-known SID" factor into such an attack?

--
Gregg Hill

DISCLAIMER WARNING: the information contained in any reply I make is merely
an OPINION, one that I hope you will consider when you make a choice as to
what you will do on your systems or network.

**No recommendation is to be implied by my OPINION.**

There, that should cover it!






"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OslDm0G%23HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx
Ryan <Ryan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I disabled the administrator account for security reasons. At the
same time the event log shows failed administrator logon attempts.
Attempts repeat every 2 till 5 hours. The calling process has PID 944
which I looked up as svchost process.
This refers to the following services:

svchost.exe 944 AeLookupSvc, AppMgmt, BITS, Browser,
CryptSvc, dmserver, EventSystem,
helpsvc,

lanmanserver, lanmanworkstation,
Netman,

Nla, RasMan, RemoteAccess, Schedule,

seclogon, SENS, ShellHWDetection,
winmgmt,
wuauserv

I can not find any service that starts with Administrator account.
Does someone have any suggestions?

As Susan said, you need to re-enable it.

I don't bother to rename the admin account anymore, either. Security by
obscurity = pretty useless, as anyone trying to hack into your server is
going after the well-known SID anyway.



.

Relevant Pages

  • Re: Unknown SID as Administrator
    ... My home PC, running XP Home Edition, was hacked about a ... It told me that I had 3 administrator accounts. ... But whose SID? ... Install a new drive, new ...
    (alt.computer.security)
  • Re: EFS on crashed OS
    ... when the client logs on (user account was ... Under the new instance of Windows, import the EFS certificate that should've ... They got a new SID in the new instance ... use the Administrator account to take ownership and then give ownership ...
    (microsoft.public.security)
  • Unknown SID as Administrator
    ... My home PC, running XP Home Edition, was hacked about a ... It told me that I had 3 administrator accounts. ... has it so that its not visible if you go to user accounts. ... But whose SID? ...
    (alt.computer.security)
  • Re: Unknown SID as Administrator
    ... clean install of everything. ... >> has it so that its not visible if you go to user accounts. ... But there was a third administrator ... But whose SID? ...
    (alt.computer.security)
  • Re: Unknown SID as Administrator
    ... It told me that I had 3 administrator accounts. ... > has it so that its not visible if you go to user accounts. ... But whose SID? ... > I downloaded getsid and whoamI from the windows 2000 resource kit. ...
    (alt.computer.security)
Loading