Re: Determine attacker IP?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Well seeing how they are trying to attack using the "administrator" account
it would be advisable to rename it. I don't agree with your statement
"Renaming administrator offers little (but some) protections." If they know
"administrator" exists well that's 50% of the puzzle there. All that is
needed is a password. I think renaming the "administraotr" account offers
more security as just assigning complex passwords which should be in place
also.


"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:ehyfsU%23nIHA.1740@xxxxxxxxxxxxxxxxxxxxxxx
AllenM wrote:
Wrong. Although attackers do tend to use bizzare account names their
favorites are accounts that "do" exist such as "administrator"
"guest". They usually try to get in through the FTP port so if your
SBS server isn't a FTP server (and it shouldn't be) then you should
just disable FTP. Also the best way to stop this is to rename the
administrator account and disable the guest account.

The "best way" is have solid password policies (& human procedures),
complex, and changed often coupled with monitoring dillegence.

Guest should be disabled by default and shouldn't be enabled. Renaming
administrator offers little (but some) protections. Third party products
that install using a default service account should be much more of a
concern.

There are other effective hardening methods, but for SBS, this and a good
firewall with only required open ports should suffice.


ork.org> wrote in message
news:O19JXZ9nIHA.4832@xxxxxxxxxxxxxxxxxxxxxxx
Some persistent soul or drone attempted to log into my server
Administrator account. He/it tried about 30 times over two days at
4:40 in the morning. Is there an easy way to determine his IP
address and block or report it. I guess I'm dreaming about the
reporting part. SBS R2 Premium, ISA 2004 SP3. I get about one or two
break-in
attempts a month. Not bad. Usually, attackers try bizarre account
names that don't exist. Naturally, I have S7r0onN6Gg passwords/pass
phrases. Jim G

--
/kj



.

Relevant Pages

  • Re: Can I clone Administrator?
    ... you don't want to rename the profile folder. ... >> also rename the Administrator folder in Documents and Settings. ... >>> You should always, ALWAYS, have a second administrator account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Can I clone Administrator?
    ... you don't want to rename the profile folder. ... > also rename the Administrator folder in Documents and Settings. ... >> You should always, ALWAYS, have a second administrator account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)
  • Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... one referencing the original administrator account: ... specific policy setting that was flagged with a big, ... I used an incorrect procedure to rename the ...
    (microsoft.public.windows.server.general)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... Did you check the Group Policies for references to the Administrator ... Administrator account? ... what policy do you have? ... referencing the former administrator account. ...
    (microsoft.public.windows.server.general)