Orin, I believe you've landed on the wrong discussion list.. this one is for IMail Server and what you are asking is about w2k server. w2k server security is a completely different animal that could occupy one person 24/7. There are several different security 'strategies', if you will, for different types of w2k install. for a roll your own solution for w2k servers security just search via google.com for w2k security. likewise search for w2k event logs and you'll find ton's of help. The logs are adjustable, with ip's, and lockdown is too, by ip. Microsoft does offer a security tool, free believe it or not, that may be of help to you.
~Rick ----- Original Message ----- From: "Orin Wells" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, January 19, 2003 2:10 AM - SATCOM Subject: [IMail Forum] Server Intrusion > Hopefully one of you administrators who is more experienced on a Windows > 2000 Server can give me some hints. > > I have observed that someone has been attempting to log on to our server by > trying to guess the passwords of the users. We have possibly 15 to > 20 Windows 2000 users defined. Somehow the hacker has been able to get a > list of the user names. > > My first question is does anyone know how they would accomplish this and > what can be done to prevent it in the future? > > Next I see where they have taken each name in order (administrator right on > down to the last user) and probed several times apparently with some set of > standard passwords. As far as I can tell they have not even > tried. Unfortunately, the Microsoft Security log is so lame it does not > really give any clues as to who is making the attempts. It shows a > Workstation ID of "YOUNGSAN" from the domain "YOUNGSAN". But it does not > include any IP address. By the way, this is at least the second time this > Workstation has done this. I have also seen another workstation somewhere > do the same. I realize this may be some auto-pilot program doing this and > just coming back around after going elsewhere. > > Question 2. Is there something in the Microsoft Windows 2000 standard > recording tools that would identify the IP address or is there a tool on > the utility/tools CD that comes with the documentation package that would > do this? > > Question 3. Is there a way to completely block an IP, a Domain and/or a > Workstation from logging in even if they somehow hit on a valid combination? > > Finally, I have a hunch that someone has managed to gain access to some > level because I have seen the Security log cleared, possibly to cover their > tracks. > > Question 4. Is there anyway for someone to clear the security log without > gaining access with administrative privileges? If so how can it be prevented? > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > ___________________________________________________________________ > Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. > > ___________________________________________________________________ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
