Lock out Internet logon attempts?

Discussion in 'Security Software' started by Rick Lemons, Jul 10, 2003.

  1. Rick Lemons

    Rick Lemons Guest

    Is there any way to block someone from trying to logon to my Win2K server
    from the Internet and locking up my accounts by inputting a bad password 3
    times. I want to lock him out.

    Don't bother telling me "use a firewall". I'm trying to put up ISA but it's
    not working in my environment. I'm working with Microsoft on it. I don't
    want to put up another one. I just need to do something in the meantime.

    Thanks.
     
    Rick Lemons, Jul 10, 2003
    #1
    1. Advertisements

  2. Rick Lemons

    |{evin Guest

    That's really your only option, there needs to be 'something' between
    your server and the internet. I've never tried it, but you might try
    something like Zone Alarm for the (very) short term. I'd be busting my
    butt to get ISA up and running though. If you've got a spare 486 you
    could set up a smoothwall (www.smoothwall.org), really a kick-ass
    product and one I've used in more than once where ISA was just too
    darned expensive.
     
    |{evin, Jul 10, 2003
    #2
    1. Advertisements

  3. Dude... Get a firewall... you've got 64,000 ports hanging out there wide open
    to every script kiddie known to mankind....

    Get a Linksys... get a zonealarm... or unplug your RJ45 from the wall.

    This is like driving down the highway at night with your lights off, at 100
    miles per hour, with no seat belts. Someone is going to get hurt. Soon, if
    they haven't already...Probably you!

    Here comes the "angry tone" that I hate to use in this group.....but I feel
    that I must...

    You say "don't bother telling me to use a firewall".... well then buckaroo.....
    you are are putting the security of the world at risk..... since you are not
    willing to take the minimum precautions of safety on the internet, what hope is
    there for the rest of us to stay safe out here.

    And way cool...you just posted into a security newsgroup with a header file
    that if you are posting in from the location without the said firewall...just
    got a bit more targeted.

    Furthermore, I hope you've at least got patching in place and on Win2ksp3
    otherwise you are probably Code Red/Nimda'd by now.

    Any computer with a connection to the Internet whether on dial up or highspeed
    needs a firewall. [and here goes that tone of voice again so I'm sorry in
    advance.....] but tone even blame this one on Microsoft....we, you, I have to
    take responsibility for the servers under our control.

    Safety and Security starts with the servers that I own.

    Susan

    You want me to tell you to don't bother using a firewall..... then don't
    bother attaching yourself to the Internet and stay off until you can get
    yourself in a more secure position.
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Jul 10, 2003
    #3
  4. Rick Lemons

    J. Smith Guest

    I found wonderful success with "Black Ice" System
    protection. Allows you to control everything and it is
    fairly easy to use. You could also lock your system from
    even starting up by creating a password on your BIOS.
     
    J. Smith, Jul 10, 2003
    #4
  5. Course we could tell him to turn off the account lockout "feature" and that way
    when somone actually hacked into his system he wouldn't have to worry about account
    lockouts.

    How long are your passwords? Assuming your passwords are alphanumeric and longer
    than 8 characters....get something on in about 30 to 40 days...Brute force cracker
    programs won't take too long to break in .... John the ripper is freely available
    from the web.

     
    Susan Bradley, CPA aka Ebitz SBS Rocks [MVP], Jul 10, 2003
    #5
  6. 1. Firewall
    2. Firewall
    3. Firewall
    4. Oh and by the way, firewall.
     
    Sandi - Microsoft MVP, Jul 10, 2003
    #6
  7. Rick Lemons

    Rick Lemons Guest

    Thank you all for reading the part that actually mentioned I am putting up a
    firewall. I was hoping to avoid the obvious but I guess I didn't write that
    part obviously enough. I was having problems putting up the firewall and
    wanted something to stop the hacker in the meantime.
     
    Rick Lemons, Jul 11, 2003
    #7
  8. Rick Lemons

    Rick Lemons Guest

    My message did state I was working on putting up a firewall that was having
    problems. I was looking for a stop gap in the meantime.


     
    Rick Lemons, Jul 11, 2003
    #8
  9. Hi Rick. You could use ipsec filtering in the meantime on that machine.
    Basically you create a policy that does not use "negotiate" but block or
    permit filter actions [you need to select authentication method, though it
    is not actually used for permit/block - just select kerberos]. It would need
    just a few rules - block all ip, permit all lan subnet, and then permit
    rules for what internet access ports/protocols you need - mail, http, https,
    dns, etc. --- Steve

    http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec
    /html/HTUseIPSec.asp
     
    Steven L Umbach, Jul 11, 2003
    #9
  10. Realistically, there is none. Put in a cheap and cheerful firewall while
    you're working on
    fixing your ISA solution....why gamble? You can pick up a little Netgear
    firewall for about $120 US.

     
    Lanwench [MVP - Exchange], Jul 12, 2003
    #10
  11. Rick Lemons

    Rick Lemons Guest

    Thank you. Your reply was the helpful one I was looking for.

    I did finally get ISA up. I sleep much better now.

     
    Rick Lemons, Jul 13, 2003
    #11
  12. Zone Alarm is your stop gap. If you have no firewall, ALL 64,000 ports are
    hanging out to the web and every person with John the Ripper is banging those
    accounts trying to crack them.

    A password that is in the dictionary will be cracked in nothing flat.
    A password longer than 8 characters with letters and numbers may take up to 40
    or so days.
    That account lockout is a security feature letting you know that you've got
    someone trying to break in.... remember the movie War Games? How the computer
    was trying to figure out the password.... that's what's happening.

    Get anything, something because when your account lockouts go away, you are
    owned and someone has figured out what those passwords are.

    Be glad you are getting these lockouts. It's a symptom that you are in a heap
    of trouble.

    Susan


     
    Susan Bradley, CPA aka Ebitz SBS Rocks [MVP], Jul 13, 2003
    #12
  13. Get Zonealarm...
    He doesn't have time to figure out Ipsec filtering... he's hemoraging and we
    need an major bandage and not microscopic surgery.
    Again, I don't mean to sound rude or anything, but this is serious. Your system
    could be "owned" already.
     
    Susan Bradley, CPA aka Ebitz SBS Rocks [MVP], Jul 13, 2003
    #13
  14. Rick Lemons

    Rick Lemons Guest

    Thanks. ISA is up now.

     
    Rick Lemons, Jul 13, 2003
    #14
  15. Thats a matter of opinion. I figure Rick is familiar with creating
    firewall rules since he is setting up ISA which means that he should be able
    to set up ipsec policy in a few minutes - probably as fast or faster that
    downloading/installing/rebooting/configuring ZA to serve lan. I would not
    recommend ipsec filtering to a novice. --- Steve

     
    Steven Umbach [MVP], Jul 13, 2003
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.