Enabling logging on IPC$ share ?

[Guest]

I have hooked a Win2K Domain Controller to the Internet and I'm curious what types of access I will see. I have enabled all kinds of logging, but would like to enable logging on the Administrative shares and the IPC$ share. Is that possible?

 

[Steven Umbach]

Curious?? You should hope to see no access from the internet to a domain
controller unless this is a intrusion detection project on a non production DC.
You can enable auditing of object access and then audit particular folders/files
but that will generate a lot of events in the security log. Auditing of logon
events will give you the most information in conjunction with firewall logs. A
personal firewall such as Sygate [free to try] has lot's of logging capabilities
and can be used just for that purpose by disabling the firewall function itself.
Packet sniffers such as the built in Netmon or other free one will give a lot of
detailed information at the packet level. TCPView from SysInternals will give a
lot of information on live network connections mapping ports to
processes/applications. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

I have hooked a Win2K Domain Controller to the Internet and I'm curious what

types of access I will see. I have enabled all kinds of logging, but would like
to enable logging on the Administrative shares and the IPC$ share. Is that
possible?

 

[David Barnes]

If you realy have connected a Win2k DC to the internet, without firewall,
system lockdown or disabling netbios/file sharing, YOU SHOUD TURN IT OFF
IMMEDIATELY, FORMAT THE DISKS AND RE-INSTALL COMPLETELY..

Why: You will have been hacked!

Half a day was the best a server lasted when I tested this recently for a
security project.

David

I have hooked a Win2K Domain Controller to the Internet and I'm curious

what types of access I will see. I have enabled all kinds of logging, but
would like to enable logging on the Administrative shares and the IPC$
share. Is that possible?

 

[Petr Kazil]

Thanks for your nice reactions, I hear a lot of interesting ideas! I have a
few follow-up questions:

If you realy have connected a Win2k DC to the internet, without
firewall, system lockdown or disabling netbios/file sharing <snip>

Even worse, I've enabled Terminal services so anyone can try to log in - and
a some people try.
It's a sacrificial machine, when I get bored of the exercise I'll just
reinstall it. In the meantime I learn a lot about logging and log-analysis.

I've enabled any (Win2K native) log-option that I know of and I still don't
feel quite satisfied. I have the auditing options set according to MS
guidelines, I'm logging web-access, FTP-access and even the DNS-debug
options. I have enabled "failed" file access to my whole C drive (doesn't
seem to generate a lot of entries though ...). I have the network-monitor
running all the time, so I can see what people are trying to do.

I don't have the feeling that someone is inside the machine (yet). No weird
log entries. No new files or strange processes. No unexplainable network
traffic.

Question 1: What would be the signs of a succesful hack?

Question 2: I know about "snort" and such tools, but first I want to see
what a Win2K machine can log on it's own. Anything else I could enable?

I may be wrong, but I have the feeling that an up to date, patched Win2K
machine is quite resilient on it's own. I've run nessus against the box and
I've still 7 holes and 25 warnings to go, but most of them are just DoS
vulnerabilities. Nothing someone could hack me with (I hope).

Question 3: Am I totally wrong?

 

[Petr Kazil]

TCPView

from SysInternals will give a lot of information on live network
connections mapping ports to processes/applications. --- Steve

Thanks! Those are very interesting tools. I've installed TCPView, the file
monitor and the registry monitor right away.

http://www.sysinternals.com/

 

[Petr Kazil]

You can enable auditing of object access and then

audit particular folders/files ...

Yes, but looking under "Computer Management" - "Shares" I see no possiblity
to enable logging on the IPC$ share. That possibility doesn't seem to exist
(never heard about it either).

 

[Petr Kazil]

A personal firewall such as Sygate [free to try] has lot's of logging
capabilities

and can be used just for that purpose by disabling the firewall function

itself.

A very nice tool! I've put it into the "Allow all" mode and now it just logs
every packet and connection that goes in or out. Tomorrow I hope to
correlate the security log events with the incoming connections. It looks
easier than going through the Netmon logs.

 

[Steven Umbach]

Not that I known of directly. Logoff events in the security log for the
anonymous account may indicate somebody trying to create a null session to the
IPC$ share. If you see a lot of logon failures for users from non default
accounts, that is a good indication someone used IPC$ to enumerate your user
accounts. --- Steve

http://www.sans.org/rr/papers/index.php?id=286

 

[Steven Umbach]

There can be lot's of signs to a successful hack with the primary being new user
accounts [especially in administrators group], changed administrator password,
changed permissions, new files/folder/applications/processes, deleted files,
increased network activity, successful network type 3 logons in the security log
or the security log being cleared, and YOU being locked out.

In addition to built in auditing and logging that you are using you might want
to configure Performance Monitor to monitor some counters for server, tcp,
network, etc. You can also configure it to send you alerts at certain
thresholds.


I agree that a full patched/hardened operating system can handle a lot on it's
own [especially if ipsec filtering is also implemented]. Of course a firewall
will help prevent against future currently undiscovered vulnerabilities and
rebuff DOS attacks hopefully before they get to internal machines. In addition
to being fully patched [including IIS and using the IIS lockdown tool] very
complex passwords, renaming the administrator account and an account lockout
policy also using passprop to enable admin account to be locked out will go a
long way to protecting your computer. If you get bored and want to see some
action enable the guest account or change the admin password to something
simple. Have fun. --- Steve

 

[David Barnes]

Petr,

Our main pointer to activity was process logging (basicly turn on auditing
for everything including sucessfull file access)... Hey the logs get megga
and you have to dump them off to another machine to interpret, but there are
many good 'parsers' out there to help with this..We also used a binary file
checksum system out of an old virus package (DR Solomons) to detect file
changes at the binary level.

I presume you're fully 'patched'. Our project was to prove the
vulnerabilities of unpatched system, going up through the service packs, to
finally fully patched. Even fully patched we still got breached (no
lockdown).
The main doorway was the telnet service.. there appears to be some
bypass/hack that hasn't been identified/patched yet.
We also tested the popular remote control program Radmin, and this seemed to
surcome to the telnet problem as it hooks into telnet to offer it out as
part of the Radmin suite of access to the system. This was how we noticed
the telnet issue, as we recieved a scan/test on the Radmin port and then a
hour later, bang.. straight in over the Radmin/telnet... Telnet.exe was the
only notable file access prior to cmd.exe firing up.!! deleting telnet.exe
seemed to keep our Radmin more secure..


David