Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
one of our servers. I log both the failed and successful logins and both of
the above logins were used recently. Do they have passwords that can be set?
What would be the implications if I removed both of them from
"security/logins"? I'm running both the server service and agent service with
a different login so it wouldn't affect the jobs.
Thanks,
--
Dan D.Hi Dan
These are the name of the accounts when you specify local system or network
service as the accounts in which a service runs under see
http://msdn2.microsoft.com/en-us/library/ms191543.aspx
John
"Dan D." wrote:
> Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> one of our servers. I log both the failed and successful logins and both of
> the above logins were used recently. Do they have passwords that can be set?
> What would be the implications if I removed both of them from
> "security/logins"? I'm running both the server service and agent service with
> a different login so it wouldn't affect the jobs.
> Thanks,
> --
> Dan D.|||I came across an article today about how someone could log in as NT AUTHORITY
through the cmd window using the task scheduler and I got a little concerned.
Thanks for the article.
--
Dan D.
"John Bell" wrote:
> Hi Dan
> These are the name of the accounts when you specify local system or network
> service as the accounts in which a service runs under see
> http://msdn2.microsoft.com/en-us/library/ms191543.aspx
> John
> "Dan D." wrote:
> > Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> > AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> > one of our servers. I log both the failed and successful logins and both of
> > the above logins were used recently. Do they have passwords that can be set?
> >
> > What would be the implications if I removed both of them from
> > "security/logins"? I'm running both the server service and agent service with
> > a different login so it wouldn't affect the jobs.
> >
> > Thanks,
> > --
> > Dan D.|||Hi Dan
Could you can post a link to the article?
John
"Dan D." wrote:
> I came across an article today about how someone could log in as NT AUTHORITY
> through the cmd window using the task scheduler and I got a little concerned.
> Thanks for the article.
> --
> Dan D.
>
> "John Bell" wrote:
> > Hi Dan
> >
> > These are the name of the accounts when you specify local system or network
> > service as the accounts in which a service runs under see
> > http://msdn2.microsoft.com/en-us/library/ms191543.aspx
> >
> > John
> >
> > "Dan D." wrote:
> >
> > > Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> > > AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> > > one of our servers. I log both the failed and successful logins and both of
> > > the above logins were used recently. Do they have passwords that can be set?
> > >
> > > What would be the implications if I removed both of them from
> > > "security/logins"? I'm running both the server service and agent service with
> > > a different login so it wouldn't affect the jobs.
> > >
> > > Thanks,
> > > --
> > > Dan D.|||Sometimes the page doesn't render correctly. You may have to scroll down to
see the beginning of the article.
http://www.ozzu.com/ftopic1337.html
--
Dan D.
"John Bell" wrote:
> Hi Dan
> Could you can post a link to the article?
> John
> "Dan D." wrote:
> > I came across an article today about how someone could log in as NT AUTHORITY
> > through the cmd window using the task scheduler and I got a little concerned.
> > Thanks for the article.
> > --
> > Dan D.
> >
> >
> > "John Bell" wrote:
> >
> > > Hi Dan
> > >
> > > These are the name of the accounts when you specify local system or network
> > > service as the accounts in which a service runs under see
> > > http://msdn2.microsoft.com/en-us/library/ms191543.aspx
> > >
> > > John
> > >
> > > "Dan D." wrote:
> > >
> > > > Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> > > > AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> > > > one of our servers. I log both the failed and successful logins and both of
> > > > the above logins were used recently. Do they have passwords that can be set?
> > > >
> > > > What would be the implications if I removed both of them from
> > > > "security/logins"? I'm running both the server service and agent service with
> > > > a different login so it wouldn't affect the jobs.
> > > >
> > > > Thanks,
> > > > --
> > > > Dan D.|||Hi Dan
The article is talking about a vunerability highlighted in
http://support.microsoft.com/?kbid=823980 that can be exploited by a specific
worm, rather than something actually logging in a the account. You should
make sure that your system is patched to a level which does not have this
issue. Tools like Microsoft Baseline Security Advisor will help you configure
your systems check out http://msdn2.microsoft.com/en-us/library/aa302360.aspx
John
"Dan D." wrote:
> Sometimes the page doesn't render correctly. You may have to scroll down to
> see the beginning of the article.
> http://www.ozzu.com/ftopic1337.html
> --
> Dan D.
>
> "John Bell" wrote:
> > Hi Dan
> >
> > Could you can post a link to the article?
> >
> > John
> >
> > "Dan D." wrote:
> >
> > > I came across an article today about how someone could log in as NT AUTHORITY
> > > through the cmd window using the task scheduler and I got a little concerned.
> > > Thanks for the article.
> > > --
> > > Dan D.
> > >
> > >
> > > "John Bell" wrote:
> > >
> > > > Hi Dan
> > > >
> > > > These are the name of the accounts when you specify local system or network
> > > > service as the accounts in which a service runs under see
> > > > http://msdn2.microsoft.com/en-us/library/ms191543.aspx
> > > >
> > > > John
> > > >
> > > > "Dan D." wrote:
> > > >
> > > > > Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> > > > > AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> > > > > one of our servers. I log both the failed and successful logins and both of
> > > > > the above logins were used recently. Do they have passwords that can be set?
> > > > >
> > > > > What would be the implications if I removed both of them from
> > > > > "security/logins"? I'm running both the server service and agent service with
> > > > > a different login so it wouldn't affect the jobs.
> > > > >
> > > > > Thanks,
> > > > > --
> > > > > Dan D.|||Thanks. I do run the Baseline Security Analyzer.
--
Dan D.
"John Bell" wrote:
> Hi Dan
> The article is talking about a vunerability highlighted in
> http://support.microsoft.com/?kbid=823980 that can be exploited by a specific
> worm, rather than something actually logging in a the account. You should
> make sure that your system is patched to a level which does not have this
> issue. Tools like Microsoft Baseline Security Advisor will help you configure
> your systems check out http://msdn2.microsoft.com/en-us/library/aa302360.aspx
> John
> "Dan D." wrote:
> > Sometimes the page doesn't render correctly. You may have to scroll down to
> > see the beginning of the article.
> >
> > http://www.ozzu.com/ftopic1337.html
> >
> > --
> > Dan D.
> >
> >
> > "John Bell" wrote:
> >
> > > Hi Dan
> > >
> > > Could you can post a link to the article?
> > >
> > > John
> > >
> > > "Dan D." wrote:
> > >
> > > > I came across an article today about how someone could log in as NT AUTHORITY
> > > > through the cmd window using the task scheduler and I got a little concerned.
> > > > Thanks for the article.
> > > > --
> > > > Dan D.
> > > >
> > > >
> > > > "John Bell" wrote:
> > > >
> > > > > Hi Dan
> > > > >
> > > > > These are the name of the accounts when you specify local system or network
> > > > > service as the accounts in which a service runs under see
> > > > > http://msdn2.microsoft.com/en-us/library/ms191543.aspx
> > > > >
> > > > > John
> > > > >
> > > > > "Dan D." wrote:
> > > > >
> > > > > > Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> > > > > > AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> > > > > > one of our servers. I log both the failed and successful logins and both of
> > > > > > the above logins were used recently. Do they have passwords that can be set?
> > > > > >
> > > > > > What would be the implications if I removed both of them from
> > > > > > "security/logins"? I'm running both the server service and agent service with
> > > > > > a different login so it wouldn't affect the jobs.
> > > > > >
> > > > > > Thanks,
> > > > > > --
> > > > > > Dan D.|||Hi Dan
Hopefully you have patched this, make sure that you keep your MBSA up to date.
John
"Dan D." wrote:
> Thanks. I do run the Baseline Security Analyzer.
> --
> Dan D.
>
> "John Bell" wrote:
> > Hi Dan
> >
> > The article is talking about a vunerability highlighted in
> > http://support.microsoft.com/?kbid=823980 that can be exploited by a specific
> > worm, rather than something actually logging in a the account. You should
> > make sure that your system is patched to a level which does not have this
> > issue. Tools like Microsoft Baseline Security Advisor will help you configure
> > your systems check out http://msdn2.microsoft.com/en-us/library/aa302360.aspx
> >
> > John
> >
> > "Dan D." wrote:
> >
> > > Sometimes the page doesn't render correctly. You may have to scroll down to
> > > see the beginning of the article.
> > >
> > > http://www.ozzu.com/ftopic1337.html
> > >
> > > --
> > > Dan D.
> > >
> > >
> > > "John Bell" wrote:
> > >
> > > > Hi Dan
> > > >
> > > > Could you can post a link to the article?
> > > >
> > > > John
> > > >
> > > > "Dan D." wrote:
> > > >
> > > > > I came across an article today about how someone could log in as NT AUTHORITY
> > > > > through the cmd window using the task scheduler and I got a little concerned.
> > > > > Thanks for the article.
> > > > > --
> > > > > Dan D.
> > > > >
> > > > >
> > > > > "John Bell" wrote:
> > > > >
> > > > > > Hi Dan
> > > > > >
> > > > > > These are the name of the accounts when you specify local system or network
> > > > > > service as the accounts in which a service runs under see
> > > > > > http://msdn2.microsoft.com/en-us/library/ms191543.aspx
> > > > > >
> > > > > > John
> > > > > >
> > > > > > "Dan D." wrote:
> > > > > >
> > > > > > > Using SS2000 SP4. Can someone login as either NT AUTHORITY\SYSTEM or NT
> > > > > > > AUTHORITY\NETWORK SERVICE? I'm trying to figure out how someone got access to
> > > > > > > one of our servers. I log both the failed and successful logins and both of
> > > > > > > the above logins were used recently. Do they have passwords that can be set?
> > > > > > >
> > > > > > > What would be the implications if I removed both of them from
> > > > > > > "security/logins"? I'm running both the server service and agent service with
> > > > > > > a different login so it wouldn't affect the jobs.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > --
> > > > > > > Dan D.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment