Re: Determine attacker IP?
- From: "Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com>
- Date: Wed, 16 Apr 2008 17:54:42 -0400
Hi Allen:
KJ is right in that a well prepared attacker goes after the RID, not the
name. The name is just a label that we humans can read. The RID is a
number that for Windows domain administrators is always the 500 account.
Google this: windows administrator account 500
so while you will get some protection from amateurs, it is not likely that
many amateurs will get close enough to break it if you use a strong pass
phrase.
My !@# Cat Has 10K fleas!
is a strong pass phrase. Easy to type, hard to forget, and impossible for a
dictionary attack to break. The symbols are the first three on the number
row.
--
Larry
Please post the resolution to
your issue so that all can benefit.
"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:ekMc4VAoIHA.1580@xxxxxxxxxxxxxxxxxxxxxxx
Well seeing how they are trying to attack using the "administrator"
account it would be advisable to rename it. I don't agree with your
statement "Renaming administrator offers little (but some) protections."
If they know "administrator" exists well that's 50% of the puzzle there.
All that is needed is a password. I think renaming the "administraotr"
account offers more security as just assigning complex passwords which
should be in place also.
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:ehyfsU%23nIHA.1740@xxxxxxxxxxxxxxxxxxxxxxx
AllenM wrote:
Wrong. Although attackers do tend to use bizzare account names their
favorites are accounts that "do" exist such as "administrator"
"guest". They usually try to get in through the FTP port so if your
SBS server isn't a FTP server (and it shouldn't be) then you should
just disable FTP. Also the best way to stop this is to rename the
administrator account and disable the guest account.
The "best way" is have solid password policies (& human procedures),
complex, and changed often coupled with monitoring dillegence.
Guest should be disabled by default and shouldn't be enabled. Renaming
administrator offers little (but some) protections. Third party products
that install using a default service account should be much more of a
concern.
There are other effective hardening methods, but for SBS, this and a good
firewall with only required open ports should suffice.
ork.org> wrote in message
news:O19JXZ9nIHA.4832@xxxxxxxxxxxxxxxxxxxxxxx
Some persistent soul or drone attempted to log into my server
Administrator account. He/it tried about 30 times over two days at
4:40 in the morning. Is there an easy way to determine his IP
address and block or report it. I guess I'm dreaming about the
reporting part. SBS R2 Premium, ISA 2004 SP3. I get about one or two
break-in
attempts a month. Not bad. Usually, attackers try bizarre account
names that don't exist. Naturally, I have S7r0onN6Gg passwords/pass
phrases. Jim G
--
/kj
.
- References:
- Determine attacker IP?
- From: Jim G
- Re: Determine attacker IP?
- From: AllenM
- Re: Determine attacker IP?
- From: kj [SBS MVP]
- Re: Determine attacker IP?
- From: AllenM
- Determine attacker IP?
- Prev by Date: Re: O.T. Anyone know of how to save the /console switchin in a rdp saved profile?
- Next by Date: Re: KB949810
- Previous by thread: Re: Determine attacker IP?
- Next by thread: Re: Determine attacker IP?
- Index(es):
Relevant Pages
|
