Shulou(Shulou.com)06/01 Report--

For the Windows 2003 server, a big threat also comes from the guessing of the system account password, because if the poorly configured server allows the establishment of an empty session, so that the user can carry out remote account enumeration, etc., and then guess the password according to the enumerated account. Even if the server refuses to establish an empty session, the user can also guess the system account, because basically many system administrators of the server use account names such as administrator, admin, root, etc. Those tools, such as streamer, can guess such passwords and crack the passwords of system accounts by using common passwords or exhaustive passwords.

In order to detect the guessing of the system account password, it is necessary to set up the server security policy and record it in the audit policy. the basic events that need to be recorded by audit include: audit login event, audit account login event, account management event. Audit the successes and failures of these events, and then we can view these audit records from the security log in the event Viewer. 、

Iis7 remote Desktop Management, iis7 remote Desktop connection tool, also known as iis7 remote Desktop Management Software, is a green small, functional and practical remote desktop management tool, its interface is simple, easy to operate, can operate multiple servers at the same time, and multiple servers can be switched freely, suitable for website managers to use.

For example, if we find a lot of failed audits in the security log, it means that someone is guessing the system account. If we look at the details of one of them, we can see:

Login failed:

Reason: unknown user name or incorrect password

User name: administrator

Domain: ALARM

Login type: 3

Login process: NtLmSsp

Authentication package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation name: REFDOM

The person who guesses the password intends to guess the password of the system account administrator. The source is the workstation name: REFDOM, where the record is the person's computer name rather than his IP address.

When we find that someone is going to guess the password, we need to modify the corresponding configuration and policy. For example: limit the IP address, change the account name of the account whose password is guessed, strengthen the length of the account password, and so on.

IV. Precursory detection of terminal services

Windows2003 provides Terminal Control Service (Telminal Service), which is a tool based on remote Desktop Protocol (RDP). It is convenient for administrators to carry out remote control and is a very good remote control tool. The interface control of Terminal Services use makes it very easy and convenient for administrators to use, and it is also very fast, which makes it just as convenient. And in the past, there was a loophole in the input method of the terminal service, which could bypass the security check to obtain system permissions. For servers that turn on Terminal Services, many people like to connect remotely to see what the server looks like (even if they don't have an account at all).

Generally speaking, after the guessing of the system account, the terminal service uses the guessed account for remote terminal connection and login.

Open the remote control service configuration in the administrative tool, click "Connect", right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP 5.0), select the bookmark "permissions", click "Advanced", join an Everyone group on behalf of all users, and then audit the success and failure of his "connection", "disconnect", "logout" and "login", which is recorded in the security log. You can view it from Administrative tools-> Log Viewer. But this log, like the previous system password guess, records the client machine name rather than the client's IP address. We can do a simple batch bat file (file name TerminalLog.bat) to record the client's IP with the following contents:

Time / t > > Terminal.log

Netstat-n-p tcp | find ": 3389" > > Terminal.log

Start Explorer

The port used by the client service is TCP 3389. The first line of the file records the login time of the user and records this time in the file Terminal.log as the log time field; the second line records the user's IP address, uses netstat to display the current network connection status command, and records the 3389 port into the log file. In this way, you can record the IP address where the other party established a 3389 connection.

To set up this program to run, in the Terminal Services configuration, the login script setting specifies TerminalLOG.bat as the script that users need to open when logging in, so that every user must execute this script after logging in, because the default script is Explorer (Resource Manager), so the command start Explorer to start Explorer is added on the last line of Terminal.bat. If you do not add this line of command, there is no way for users to enter the desktop. Of course, you can make this script more powerful, but please put the logging files in a secure directory.

Through the contents of the Terminal.log file, together with the security log, we can find events or precursors through Terminal Services.

The above four are the most common for Windows2003 servers and account for the vast majority of Windows2003 events. From the above analysis, we can timely find these precursors, according to the starting point of these precursors, and then take corresponding security measures to put an end to them.

From the above analysis, we can also realize the importance of various logging and event auditing in the security configuration of the server. These log files are an important target for users, who delete and modify records in order to erase their footprints. Therefore, for all kinds of log files, we should hide them and set permissions to protect them. At the same time, just keep a log and not review and analyze it regularly, then all the work is done in vain.

In security maintenance, system administrators should be vigilant, familiar with the means used, and do a good job of precursory detection and analysis, so that they can be prepared in advance to prevent the occurrence of events.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.