When I came in on Monday morning, I found all of my user accounts with admin rights were locked out. I used EDR 2002 to regain access to my PDC (NT4 server SP6a) with admin rights and checked the log files on the primary domain controller (PDC). I found out someone from a machine with a domain name that no one in our company is using tried to log on to my PDC with all of the user names with admin rights. Because we use very strong passwords and only allow three tries for logon, this "hacker" was not able to log on to my PDC. But my question is: How did this guy know all of my user names that have admin privileges? This NT4 server does have a second NIC with a public IP address, so our sales people can access shared files on it through the Internet. Thanks a lot for your help.
Uh, oh! You've got the classic leaky server problem here. Thank goodness you had account lockout set. There are two issues, but let's deal with your first concern. The attacker may have used a connection to IPC$ administrative share. This share cannot be removed. The attacker can use a null session share (she doesn't have to have a user account or password). Once connected there are several tools that can be used to list your user accounts, including some resource kit tools, and even some readily available tools used to audit systems. These lists can include group membership. If you configure the system to restrict anonymous settings, you can prevent some of this information leakage, but you may cause problems with other services you wish to run on the network. The answer is, of course, resolving the other issue you have.
Never, never, never expose file shares over the Internet! In order to make the null connection, the attacker must be able to access using the Windows NetBIOS ports. Security best practices says, "Block these ports" (use a firewall). OK, so how do we get those sales folks the information they need while they are on the road? You have several alternatives. However, the objective you want to keep clearly in mind is that you want the sales folks to authenticate before they are able to attempt access to a share, and you want them connected to your internal network as well. You don't want file sharing exposed directly to the Internet. You can do this with a dial-up RAS server. You can do this with a VPN, either on the firewall or on the RAS server.
Whatever you choose, you need to protect your file sharing. Otherwise, you are going to find yourself the victim of more attacks and, someday, they may succeed.
Dig Deeper on Windows legacy operating systems
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.