Guest Craig Kalugin Posted November 7, 2007 Posted November 7, 2007 I recently noticed in the Security Event Log a lot of Failure Audits. These seem to be "Unknown Username or password" for the administrator. Looking at the event it shows a Source Network Address". When i look up the addresses on the internet, they show mostly coming from China. It would appear that someone is trying to hack into our system (SBS2003, SP2) using the administrator name. We have Symantec Client Security and ISA2004. Is there anything I should be doing to make sure someone doesn't hack in. I am really nervous..
Guest G Posted November 7, 2007 Posted November 7, 2007 Re: Failure Audit Things you can do to make sure that someone doesn't hack in: 1) Ask Shawn Carpenter http://en.wikipedia.org/wiki/Shawn_Carpenter. 2) Disconnect from the Internet. 3) Nothing. Thinks you can do to make it highly improbably that someone does not hack in: 1) Rename your administrator account to something innocuous and identical to your standard user logins (possibly change it to an existing account for a former employee that should have been disabled but was not, so the new account is does not alert your cracker). Pay attention to attempts to (audit) use of the administrator login. 2) Change your administrator password at least as often as you change user passwords, and change it to a very strong but memorable password. I don't think that an IT professional should not whine about a hard-to-type password. 3) Use biometrics like a fingerprint reader and/or a smart card, at least for the admin-equivalent account. 4) Secure traffic thru your firewall. 5) Employ intrusion detection. 6) Hire the best consultants you can afford to help as needed. Include in the contract that their measures must work against #7 below. 7) Hire a separate penetration testing team. 8) Educate your users, and inform them of the attempted intrusion. 9) (re)Read "The Cuckoo's Egg" for why you do not use email for #8 and for other important ideas. 10) Figure out where the attempts that are not coming from China are coming from, and prosecute as appropriate. 11) Make this the large part of someone's job, preferably someone who has already shown due caution over and concern for security (see #8 and http://www.sans.org/training/bylocation/index_all.php). 12) Don't go overboard in a way that interferes with day-to-day productivity. Evaluate cost/benefit for your security measures. ________ Greg Stigers, MCSA remember to vote for the answers you like
Guest Ryan Hanisco Posted November 8, 2007 Posted November 8, 2007 RE: Failure Audit Hi Craig, For any server exposed to the Internet, you'll see hits from all over and attempts to crack the passwords. You have to rely on tools that are made to withstand that kind of attack. Things like ISA and Symantec are built for that. Normally you might have some recourse with the ISP for something like this, but coming from China, I am afraid you are pretty much on your own. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "Craig Kalugin" wrote: > I recently noticed in the Security Event Log a lot of Failure Audits. These > seem to be "Unknown Username or password" for the administrator. Looking at > the event it shows a Source Network Address". When i look up the addresses on > the internet, they show mostly coming from China. It would appear that > someone is trying to hack into our system (SBS2003, SP2) using the > administrator name. We have Symantec Client Security and ISA2004. Is there > anything I should be doing to make sure someone doesn't hack in. I am really > nervous..
Guest Newell White Posted November 8, 2007 Posted November 8, 2007 RE: Failure Audit Create a new account with private name which is member of Domain Admins - allow remote desktop and login to Terminal Server. Use this for remote access to servers. Now remove these priviliges from the built-in Administrator account. This simple step saved us from a hack by someone who had some (but not enough!) inside knowledge of our setup. Also suggest that long passwords for any Administrators Group account are mandatory. -- HTH, Newell White "Craig Kalugin" wrote: > I recently noticed in the Security Event Log a lot of Failure Audits. These > seem to be "Unknown Username or password" for the administrator. Looking at > the event it shows a Source Network Address". When i look up the addresses on > the internet, they show mostly coming from China. It would appear that > someone is trying to hack into our system (SBS2003, SP2) using the > administrator name. We have Symantec Client Security and ISA2004. Is there > anything I should be doing to make sure someone doesn't hack in. I am really > nervous..
Recommended Posts