Re: Another security question/issue.

---

• From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
• Date: Tue, 25 Mar 2008 20:48:20 -0700

---

sbsstarter wrote:

Ok; I get daily hits to the disabled admin account. Event log tells
me they are denied access. First, I was told the reason the attempts
are higher than my lockout policy is because policies don't apply to
admin account - correct? How can I find out who is making these
attempts and how I can deny that individual access? The most annoying
instance happens very close to the same time every morning at about
4:00 a.m. The logs don't give an address of the user trying the
attempted logins. What are my options?

Post an example of your failed logon attempt.

Is your administrator account 'disabled' by choice, or are you saying it's
disabled by lockout policy?

While this may be an external cause, it may also be an internal driven
event. Did you change the administrator password lately?

Policy applies to all accounts, but the administrator has some protections
against denying the true administrator (person) from gaining access to the
server.

Second, if the account is obviously disabled, why would a hacker keep
attempting to access it? It's not going to work...right?

Third, I've been noticing fail authentication attempts with the user
name MDaemon. Is that an actual service that I need to deal with, or
is it an attempt at unauthorized access?

Post one of these too.

Finally....if I've closed all ports except 25 TO the SBS box from my
external firewall appliance, why am I still seeing failed
authentication attempts on a daily basis? Is it possible to attempt a
login through port 25 which is designated for exchange?

--
/kj


.

---

• Follow-Ups:
  • Re: Another security question/issue.
    • From: sbsstarter

• References:
  • Another security question/issue.
    • From: sbsstarter

• Prev by Date: Re: The unavoidable Trend Micro ERS Hosted account
• Next by Date: Re: Software RAID Recovery
• Previous by thread: Another security question/issue.
• Next by thread: Re: Another security question/issue.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: com port access denied ... In regular XP Pro the account was a member of both Administrators and Power ... application that uses a number of com ports. ... The image has a 'user' account, in the administrator group as well ... (microsoft.public.windowsxp.embedded) AW: External Account Information ... Subject: AW: External Account Information ... If you haven't locked down Ports 137-139 (NetBios, Ports might be others, ... >to use the Guest account as a "honeypot" Administrator ... (Focus-Microsoft) Re: user accounts ... The other ones have problems with ports. ... to fix them? ... one of them was an administrator; and I changed to a regular ... account, and now I don't have an administrator account and I'm not able to do ... (microsoft.public.windowsxp.help_and_support) LOCKED OUT ... Log in under administrator and go into your normal ... account and take check box out of account disabled. ... You probably have some kind of lockout policy (ie: ... How do I un-lock the ... (microsoft.public.windowsxp.security_admin) Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003 ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ... (microsoft.public.windows.server.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)