Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacking attempt

Status
Not open for further replies.
kathanon

kathanon

Technical User
Jan 29, 2002
218
0
0
GB
I was horrified to come in to work yesterday and on checking the security logs, find attempted logons as administrator, and then guest (which is disabled) This is the first time this has happened.

What I did was look at the firewall logs and marry up the IP addresses with the W2K server event log, look up the IP address and report the attempts to the person's ISP.

I did try changing the administrator account name, but I had crashes and server freezes so am reluctant to try again, I used the policies too. I wonder if there are any other steps I can take to harden the server.

Thanks

Kathy
 
Sort by date Sort by votes
I should have added that I have accounts set to lock out after a few attempts and use complex passwords and require admin resetting of the counter. I am also wondering if there is any way I can tell if the person was successful and got into the system. I have failed logon attempts set and am assuming that as they first attempted admininstrator and then guest, that they didn't manage to gain access. It did give me a bit of a shock to see it all in the logs

Thanks
 
Upvote 0 Downvote
Hi there,

My immediate thoughts / responses to this are as follows:

1. Set logging ON for successful logons as well as failed ones. Additionally, you could rename the Admin account to something less obvious and delete / disable the guest account.

2. W2K auditing is a useful weapon in monitoring your server - you can enable disk and file access logging for sensitive information if you wish.

3. You mention that you've checked your firewall logs - can you provide some more info about what you're using? It sounds as though your firewall might not be blocking as much access as it should.

4. Depending on your organisation's size and security budget, you may wish to give some serious consideration to getting a security audit / hardening performed on your systems and investing in a stronger firewall.

Hope this helps,

HoinviP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Rich24
  • Locked
  • Question
User Locked Out after One Failed Attempt
Replies
2
Views
18
Rich24
Rich24
colinrharris
  • Locked
  • Question
The system detected a possible attempt to compromise security.
Replies
4
Views
30
colinrharris
colinrharris
drewdown
  • Locked
  • Question
Domain login attempt log file? 1
Replies
2
Views
13
drewdown
drewdown
biglebowski
  • Locked
  • Question
Securing SBS 2003 after hacking attempts
Replies
2
Views
18
wahnula
wahnula
CarrahaG
  • Locked
  • Question
Attempting to join the domain "<domain.local>": Access is denied
Replies
7
Views
38
dbustamante
dbustamante

Part and Inventory Search

Sponsor

Back
Top