1. Home
  2. Networking Firewalls
  3. Windows 2000 getting hacked - Help!

Windows 2000 getting hacked - Help!

I am running a Windows 2000 Web Server in the office. It's hosting about 9 web sites on the same IP Address. It works great but my event log shows that it gets hit ever 3 seconds by various hosts. The hosts are computer names and not IP addresses. At first they were random User IDs from random hosts. But now they are starting to hack into my server with logon IDs which are in the domain!! I'm certain that the security of the server has been compromised but don't know how and what I can do to prevent it. So far I've been changing the User IDs of the all the Admin accounts but now they're using the new names. All the attempts show as failed attempts but how did they get the User information?

There is an Adtran router I'm sitting behind which was provided by the T1 guys. I don't have much control over the router. Is there a way to block those hosts from attacking me? Please help.

Thank you,

-Umar.

Reply to
Umar Farooq
Loading thread data ...

Here's a wealth of really great security guides for free from the National Security Agency for Windows (all versions), Cisco routers & switches, Apps (web servers, SQL, etc). The NSA is the U.S Crypto and Security Agency.

formatting link
Read them! Get a firewall. Get some router ACLs immediately and block whatever is attacking you.

alan

Reply to
Alan Strassberg

Must this firewall be a piece of hardware? Can it be software? This is the error I'm getting:

Event ID: 681 The logon to account: AlFarooq by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: CBLAPTOP failed. The error code was: 3221225578 Thank you for your help and advice!

Reply to
Umar Farooq

when you use net view, do you see cblaptop?

Reply to
fixtrix

Don't impose rules like that, no. Make the passwords *random* instead.

I know places where the rules are so rigid that they've severely cut down on the job a hacker would do:

Between 7 and 8 characters. At least one upper case char. At least one lower case char. At least one digit. No consecutively reoccurring characters. No part of the password longer than 1 character must be found in a dictionary (you can't have Z2iNto8w because of the "to" in it).

What's left is a MUCH smaller set of potential passwords than the full set, cutting down significantly on a hacker's work load.

Relying on the hackers not knowing the rules is called "security through obscurity", and doesn't work -- among other things because at least 2/3 of successful hacks are done with the aid of inside (or former inside) resources who would know the rules.

Regards,

Reply to
Arthur Hagen

Also, you DMZ servers should be standalone. In other words why the hell are you including your DMZ servers in your domain. Very, Very risky.....

Also, think about using a UNIX with Apache running under a non root account...

Reply to
Michael J. Pelletier

Did I miss seeing what firewall you are using? If you are running a web server without a firewall then you are SOL.

So, first thing - get a firewall, you can then block any subnets that you don't want to allow access to your web server.

Second, secure the server - change all user passwords, make then 12 characters, upper/lower case, and include at least 1 number. Make sure that you are not exposing any services that you don't need to expose (all you need to expose is 80/443/FTP, and VPN) - the VPN is so that you can manage the server, you don't want to manage it with a non-VPN connection.

Between changing the passwords and the firewall and locking down the system, you should just see people attempting to get in.

Reply to
Leythos

It could be software, but there isn't one on the market I would trust running on the SAME server as my web sites.

Here is the information you need to understand this:

formatting link
I just did a google search of Event ID: 681, the top 5 results explained it.

Reply to
Leythos

I agree, but in reality, when users can change their passwords, you end up with people using weak passwords. I just wanted him to change the current ones so that he could make sure that someone wasn't already authenticating through a weak passworded account.

7-8 characters vs 12 is still going to be tough to crack, but I should have expanded on it like you did.

The problem is that since he exposes the authentication ability from the OS, he's limited in what he can do. I never expose the OS authentication layers directly.

Reply to
Leythos

I thought he said "domain IDs" did he not?

Reply to
Michael J. Pelletier

[snip]

I don't see where his servers are running in any domain, except their own. Since he doesn't have a DMZ, and the servers appear to be hosted, it's no a threat to his local network.

Reply to
Leythos

.... ^^^^^^^^^ ^^^ ^^^^^^^^

It doesn't matter, here, they are accounts from it's own domain.

Wolfgang

Reply to
Wolfgang Ewert

There are other ways to get these informations. What services does it offer? What about open ports? What about the patch level? Have you designed your webserver (IIS I think) only for web services? There are som papers and tools at Microsoft:

formatting link
lockdown tool for IIS.

That can't help, there must be robustness enough by your server. But you can use ipsecpol to filter these network ranges. You can use the URL filtering tool for IIS from MS.

Find out, what was the intruders way (forensic analyse). Turn it down, flatten and rebuild ist with more secure settings. That's the only way.

Sorry but I think, it's the only help.

Wolfgang

Reply to
Wolfgang Ewert

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.