Securing against an internet based intrusion

[Ari]

I like to run a tight ship and have taken some security measures to
help keep my system more secure. One topic I've never seen discussed
before is what measures the OS takes if it detects multiple guesses of
the administrators password via the internet-which is likely an
attempt to gain unauthorized access.

I have renamed the administrators account to an unusual name, so
(presumably) an intruder has to somehow figure out the account name
that has administrative privileges. But, let's say this has been done,
and the intruder begins guessing passwords, hoping I was stupid enough
to use a blank line or an easy to guess password (such as
'administrator'::>).

What is to stop the intruder from running all the possible
combinations of passwords until the system unlocks for him (or her).

Clearly, such an attack should (at the very minimum) alert the
keyboard operator and should slow down acceptance of guesses to give
the kb operator more time to respond. But, stopping the computer from
operating if this is detected amounts to an easy means of launching a
denial of service attack....so, clearly shutting down the computer is
not an option.

Just exactly what does XP do when it detects multiple wrong guesses of
the administrators password? Is this issue someting I don't need to
worry about (because XP has it covered), or does XP sit there and
watch it happen?

Thanks,

Ari

 

[Lanwench [MVP - Exchange]]

In

I like to run a tight ship and have taken some security measures to
help keep my system more secure. One topic I've never seen discussed
before is what measures the OS takes if it detects multiple guesses of
the administrators password via the internet-which is likely an
attempt to gain unauthorized access.

I have renamed the administrators account to an unusual name, so
(presumably) an intruder has to somehow figure out the account name
that has administrative privileges. But, let's say this has been done,
and the intruder begins guessing passwords, hoping I was stupid enough
to use a blank line or an easy to guess password (such as
'administrator'::>).

What is to stop the intruder from running all the possible
combinations of passwords until the system unlocks for him (or her).

Clearly, such an attack should (at the very minimum) alert the
keyboard operator and should slow down acceptance of guesses to give
the kb operator more time to respond. But, stopping the computer from
operating if this is detected amounts to an easy means of launching a
denial of service attack....so, clearly shutting down the computer is
not an option.

Just exactly what does XP do when it detects multiple wrong guesses of
the administrators password? Is this issue someting I don't need to
worry about (because XP has it covered), or does XP sit there and
watch it happen?

Thanks,

Ari

I don't know whether account lockout will do anything in XP, but first step
is getting a good firewall in place between your computer and the Internet
modem/router you use - even if you use the XP firewall as well. Don't allow
any inbound traffic at all, and you're in decent shape. Depending on the
model, you may be able to turn up logging such that you can see what people
(or hijacked computers) are trying to do - even dump it out to a syslog
server.
If you use wireless, don't use a wide open access point - use WPA at
minimum.
Use a good, long, complex password on your default administrator account,
and also on your own account (and don't put your own account in the
Administrators group).

 

[Steven L Umbach]

That is the job of a firewall to prevent a user from the internet from
trying to access your computer via a server service such as file and print
sharing or Remote Desktop. Most users do not have a need to offer such to
internet users and you can go to a self scan site like
http://scan.sygatetech.com/ to if there are any ports open to your network
that could expose a vulnerability. If you do have a need to provide access
to legitimate users from the internet then it is best to use a device like
an ipsec endpoint firewall or a VPN server that allows l2tp connections only
as that would prevent a malicious user from trying to guess passwords since
his "computer" could not authenticate to your VPN. L2tp/ipsec requires
certificate or pre shared key for computer authentication.

All that aside the operating system would record failed logon attempts and
assuming auditing of logon/account logon events was enabled in security
policy you would see the failed logon attempts recorded. If account lockout
was enabled then the legitimate account could be locked out which can lead
to a denial of service as you mention. If you enforce strong and complex
password it is extremely unlikely that the attacker would gain access and
would probably quit after a short period of time. It is much slower and more
difficult to try and crack passwords over the network that if a user has
direct physical access to the computer itself. In high security
environments implementation of ipsec [requiring computer authentication]
and/or something like smartcards and requiring their use can mitigate old
fashioned password attacks. Again a properly configured firewall ideally at
the perimeter of the network is your best defense from such attacks ever
reaching your computer in the first place. The link below may be of
interest. --- Steve

http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx

 

[Ari]

I don't know whether account lockout will do anything in XP, but first step
is getting a good firewall in place between your computer and the Internet
modem/router you use - even if you use the XP firewall as well. Don't allow
any inbound traffic at all, and you're in decent shape. Depending on the
model, you may be able to turn up logging such that you can see what people
(or hijacked computers) are trying to do - even dump it out to a syslog
server.

We have DSL, there is a rumored hardware firewall in the modem. I
don't know if it's effective, but we use Zone Alarm software firewall
too.

We have a single administrator, changed the name to something obscure
and use a REAL password on it. I can remember it, but just barely.

The 3 users on the computer do not have administrative privileges, and
when we need to add software or perform duties that require
administrative privileges, the modem is turned off until maintenance
is completed. Even the non administrative users log in by REAL
passwords.

File and printer sharing is turned off-my understanding is that this
will not let anyone in to the hard drive if they make it through the
firewall.

If you use wireless, don't use a wide open access point - use WPA at
minimum.

We do have a wireless router for connection to a second laptop
computer, which is currently running wide open access....but not for
long. I will encrypt it soon. Filesharing and printer sharing for the
wireless connected laptop is also turned off.

Use a good, long, complex password on your default administrator account,
and also on your own account (and don't put your own account in the
Administrators group).

Done.

Thanks for commenting, it's much appreciated.

A

 

[Ari]

That is the job of a firewall to prevent a user from the internet from

trying to access your computer via a server service such as file and print
sharing or Remote Desktop. Most users do not have a need to offer such to
internet users and you can go to a self scan site like
http://scan.sygatetech.com/ to if there are any ports open to your network
that could expose a vulnerability. If you do have a need to provide access
to legitimate users from the internet then it is best to use a device like
an ipsec endpoint firewall or a VPN server that allows l2tp connections only
as that would prevent a malicious user from trying to guess passwords since
his "computer" could not authenticate to your VPN. L2tp/ipsec requires
certificate or pre shared key for computer authentication.

I don't know about VPN, but it sounds interesting. I did comment about
our current security in reply to Lanwench's post.

The scans at sygatetech came back negative, even without the software
firewall engaged, so I guess that hardware firewall in our DSL modem
is doing a fairly good job. The only scan I couldn't do was the ICMP
scan, which the website said isn't enabled at this time.

All that aside the operating system would record failed logon attempts and
assuming auditing of logon/account logon events was enabled in security
policy you would see the failed logon attempts recorded.

OK, I had no idea XP would log failed attempts, I'd like to know more
about this. Sounds like something many users should know about::>

If account lockout
was enabled then the legitimate account could be locked out which can lead
to a denial of service as you mention.

OK, when you say 'IF', does that mean that it is an option to enable a
lockout if too many guesses are logged? I'd be willing to allow this
on my system as it appears that are many ways around the log in IF one
has physical access to the hardware. Does 'IF' mean I can enable a
lock out or is this option not available at all?

If you enforce strong and complex
password it is extremely unlikely that the attacker would gain access and
would probably quit after a short period of time. It is much slower and more
difficult to try and crack passwords over the network that if a user has
direct physical access to the computer itself. In high security
environments implementation of ipsec [requiring computer authentication]
and/or something like smartcards and requiring their use can mitigate old
fashioned password attacks. Again a properly configured firewall ideally at
the perimeter of the network is your best defense from such attacks ever
reaching your computer in the first place. The link below may be of
interest. --- Steve

http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx

My passwords are proper and strong. I'll look over the link above
later tonight when the house is quieter.

Thanks,

Ari

 

[Steven L Umbach]

Comments inline.

I don't know about VPN, but it sounds interesting. I did comment about
our current security in reply to Lanwench's post.

The scans at sygatetech came back negative, even without the software
firewall engaged, so I guess that hardware firewall in our DSL modem
is doing a fairly good job. The only scan I couldn't do was the ICMP
scan, which the website said isn't enabled at this time.

That is a huge plus if you have a firewall at the modem also. You need a
endpoint ipsec device or Windows Server to use VPN with ipsec. XP Pro can
take a single inbound connection as a pptp VPN server.

OK, I had no idea XP would log failed attempts, I'd like to know more
about this. Sounds like something many users should know about::>

I believe it is enabled by default. You can use Event Viewer to see the
security logs. You can use Local Security Policy [secpol.msc] in XP Pro only
to manage auditing under local policies/audit policy. The links below may be
helpful explaining in more detail.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 --- works
same in XP Pro.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 --- ditto.

OK, when you say 'IF', does that mean that it is an option to enable a
lockout if too many guesses are logged? I'd be willing to allow this
on my system as it appears that are many ways around the log in IF one
has physical access to the hardware. Does 'IF' mean I can enable a
lock out or is this option not available at all?

Yes you can use Local Security Policy in XP Pro or the net accounts command
in XP Pro and XP Home as explained in the link below. FYI if an
attacker has physical access to your computer password lockout will not
protect you as the user can resort to several methods to access your non
encrypted data including borrowing your hard drive which you may never even
know about. If that is a concern you need to physically secure your
computer to some degree which may be at minimum a sturdy computer case that
has locks the case and access to the drives/power switch and configure
cmos to boot only from system drive and password protect cmos settings.

http://support.microsoft.com/kb/q194739/

If you enforce strong and complex
password it is extremely unlikely that the attacker would gain access and
would probably quit after a short period of time. It is much slower and
more
difficult to try and crack passwords over the network that if a user has
direct physical access to the computer itself. In high security
environments implementation of ipsec [requiring computer authentication]
and/or something like smartcards and requiring their use can mitigate old
fashioned password attacks. Again a properly configured firewall ideally
at
the perimeter of the network is your best defense from such attacks ever
reaching your computer in the first place. The link below may be of
interest. --- Steve

http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx

My passwords are proper and strong. I'll look over the link above
later tonight when the house is quieter.

Thanks,

Ari

 

[Ron Martell]

We have DSL, there is a rumored hardware firewall in the modem. I
don't know if it's effective, but we use Zone Alarm software firewall
too.

DSL modems are not likely to incorporate a firewall, but a DSL
modem-router combination would almost certainly include NAT (network
address translation) which is at least 99 and 44/100% effective as a
hardware firewall. Theoretically it is breachable but I have never
heard of an actual successful malicious attack.

If your DSL modem has a DHCP server that allocates non-routable i.p.
addresses to your network computers (e.g. addressess in the
192.168.xxx.yyy range) then it undoubtedly has NAT as well. However
if you are using fixed local i.p. addresses or if you have a computer
on the network configured as a DHCP server then your modem may not
have NAT.

4 port Cable/DSL routers are basically cheaper than dirt right now so
if you don't have this functionality on your network it might be worth
considering.

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

 

[Ari]

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 --- works
same in XP Pro.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 --- ditto.

http://support.microsoft.com/kb/q194739/

YES, YES-exactly the type of info I needed Steven!!!!!!!!!! I'm not
sure I could set it up from the instructions given as there's lots 'o
new words in those messages. But, it sure looks good to me. I can play
with it a bit and see what happens.

We don't have any valuable info on the computer, so we don't need the
negotiated network handshaking connections. But, it is nice to know we
can have some defense against someone who is really determined. I'm
still somewhat surprised I don't see discussions of these topics as I
look back through the postings in this newsgroup-they seem to be well
kept secrets....or, perhaps no one is serious enough to think they
need extra protection??

Can I assume from reading the above links that the default security
setting is to have XP sit there and watch guesses forever, until the
attacker guesses the right password?

Also, you mentioned guessing via the internet to be slow.....with
custom software, and a DSL connection, couldn't someone make 10 to 100
guesses per second via the internet?

Thanks again, you've been very helpful Steven and it's greatly
appreciated.

A


PS:


I think we can dodge 99.999 percent of the attacks by making our
system just a little more protected than most others-

As I read through the miscosoft.public usenet groups, it's painfully
obvious that the average user is connecting to the internet with
blinders on, thinking that security is something for others to be
concerned about::>

I love this sort of attitude, it makes me so much less likely to
become a victim because nearly everyone else is damn close to
defenseless!

 

[Steven L Umbach]

This topic has been discussed fairly often though I can't remember what
newsgroups offhand as there are several Microsoft security newsgroups
including for Windows 2000 and server operating systems. By default XP is
configured not to lock user accounts with bad password guesses as that can
cause a lot of problems for users that do not know how to fix such. The
problem is fairly rare since XP comes with a built in firewall, the use of
internet routers, and a lot of ISPs will not allow traffic to file and print
sharing ports anymore. Since you are firewalled I would not worry about it.
I am sure that someone with high speed connection could possibly be subject
to attacks that may be several per second but that is not enough to crack
anything other than the weakest passwords. Now when you direct access to the
computer you can do thousands of guesses or more per second particularly if
the user has rainbow tables already in a database. A bigger problem is that
there is freely available software that can reset user passwords if the
attacker has full physical access to the computer thus eliminating any need
to guess the password. See the link below for more info on that.

http://www.petri.co.il/forgot_administrator_password.htm

Since you seem to be interested in securing your computer and network some
of the links below may be interesting to you. --- Steve

http://www.microsoft.com/athome/security/default.mspx --- Security at Home
http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC from Microsoft.
http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
Small Business Security guide
http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
--- Antivirus Defense-In-Depth Guide
http://www.microsoft.com/technet/security/default.mspx --- TechNet Security
homepage
http://www.microsoft.com/technet/security/topics/Serversecurity/tcg/tcgch00.mspx
--- Threats and Countermeasures Guide
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx
--- Windows XP Security Guide
http://www.securityfocus.com/ --- Securityfocus website
http://labmice.techtarget.com/windowsxp/default.htm --- Labmice website
http://www.webattack.com/ -- Snapfiles downloads