Windows2000 Server intrusion detection skills

Intrusion DetectionThe system (IDS) is a reasonable supplement to the firewall. It helps the security system detect potential intrusion precursor and deal with network attacks. Next let's take a look at the process of Windows2000 Server intrusion detection.

Precursor detection of system account password cracking and intrusion

For Windows 2000 servers, a major threat also comes from the system account password, because if a poorly configured server allows creation of null sessions, attackers can remotely Enumerate accounts and perform password guesses Based on the enumerated accounts. Even if the server rejects the creation of an empty session, attackers can guess the system account because many server system administrators use accounts such as administrator, admin, and root. Hacker tools, such as "traffic", can guess the password and crack the password of the system account through common passwords or brute force password.

To detect intrusions that have been guessed by system accounts and passwords, you need to set a server security policy and record it in the Audit Policy. The basic events that need to be reviewed include: audit Logon Events, Audit Account Logon Events, and account management events. Review the successful and failed events, and then we can view these audit records from the security log in the event viewer.

For example, if we find a lot of failures in the security log, it means someone is guessing the system account. We can view the details of one of them and see:

Logon Failed:

Cause: Unknown user name or incorrect password

User name: administrator

Domain: ALARM

Logon type: 3

Logon Process: NtLmSsp

Authentication package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Site name: REFDOM

The attacker intends to guess the password of the administrator of the system account. The source of the attacker is the website name REFDOM, which records the attacker's computer name rather than his IP address.

When we find someone intends to guess the password, we need to modify the corresponding configuration and policy. For example, limiting IP addresses, modifying the account name of the account whose password is guessed, enhancing the length of the account password, and so on.

Precursor detection of Terminal Service intrusion

Windows provides the Terminal Control Service (Telminal Service). It is a Remote Desktop Protocol (RDP)-based tool that facilitates remote control by administrators. It is a very good remote control tool. The interface control used by Terminal Services makes it easy and convenient for administrators to use, and the speed is also very fast. This also makes attackers as convenient. In addition, the terminal service has an Input Method Vulnerability in the past, which allows you to obtain system permissions by bypassing the security check. For servers that open terminal services, many attackers prefer remote connection to see what the server looks like (even if they do not have an account ).

Intrusion into terminal services generally occurs after the system account is guessed. Attackers can remotely connect to and log on to the terminal using the account obtained by the guess.

Open remote control service configuration in Administrative Tools, click "Connect", right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP 5.0), select the bookmarks "Permissions ", click "advanced" and join an Everyone group to represent all users, review the success and failure of his "connection", "disconnected", "logout", and "login". This review is recorded in the security log, you can view it in "Administrative Tools"-> "Log Viewer. However, this log records the name of the client machine rather than the IP address of the client, just like the system password. We can create a simple batchcompute bat file (named TerminalLog. bat) to record the client's IP address. The file content is:

 
 

  
  
time /t >>Terminal.log  
  
  
 
  
  
netstat -n -p tcp | find ":3389">>Terminal.log  
  
  
 
  
  
start Explorer  
 
 

The port used by the end service is TCP 3389. the first line of the file is to record the user's logon time and record the time in the file Terminal. log is used as the log time field. The second line is the command that records the user's IP address, uses netstat to display the current network connection status, and records the port 3389 in the log file. In this way, you can record the IP address of the other party that establishes the 3389 connection.

To set the program to run, you can set TerminalLOG in terminal service configuration. bat is the script to be opened when a user logs on. Therefore, each user must execute this script after logon. Because the default script is Explorer (Resource Manager. the start Explorer command is added to the last line of bat. If this command is not added, you cannot enter the desktop. Of course, you can write this script more powerful, but place the log file in a safe directory.

With the contents recorded in the Terminal. log File and security logs, we can discover intrusion events or Precursor events through Terminal services.

For Windows2000 servers, the above four types of intrusion are the most common, and also account for the vast majority of the intrusion into Windows2000 events. From the above analysis, we can promptly discover the precursor of these intrusions, discover the attacker's attack starting point based on the precursor, and then take corresponding security measures to prevent the attacker from intruding.

We can also analyze the importance of log records and event reviews in server security configurations. These log files are important targets of attackers after they are intruded. They will delete and modify records to erase their intrusion footprints. Therefore, for various log files, we should better hide and Set permissions to protect them. At the same time, simply record the logs and do not regularly view and analyze the logs, so all the work is done in white.

During security maintenance, the system administrator should be vigilant, be familiar with the intrusion methods used by hackers, and do a good job of Detection and Analysis of intrusion precursor. In this way, the system administrator can plan ahead and prevent the occurrence of intrusion events.

As an active security protection technology, intrusion detection provides real-time protection for internal attacks, external attacks, and misoperations. It intercepts and responds to intrusions before the network system is compromised. We should be proactive.