Server Manager detects precursor win2003

For Windows 2003 servers, is also a big threat from the system account password guess, because if poorly configured server allows to establish a null session, so that those who can enumerate and other remote account, and then based on gold For account get to guess the password. Even if the server refused to establish a null session, who can guess the same system account, because basically many system administrators are using the server administrator, such as the account name admin, root and so on. *** Those tools, such as "streamer", etc., can be carried out such as password guessing, to crack the code system account password by exhaustive or common passwords.
To detect guess solution through the system account password, you need to set the server security strategy, recorded in the audit policy, the basic need to review the record of the event include: Audit logon events Audit account logon events, account management events. Audit these events' successes, failures, "then we can view these audit records from the Security Event Log Viewer. ,
Iis7 remote desktop management, iis7 Remote Desktop Connection tool, also known as iis7 remote desktop management software, is a green compact, functional and practical remote desktop management tool, its interface is simple, easy to operate, can simultaneously operate multiple remote servers, and You can switch between multiple servers free for use for site managers.
For example: If we find a lot of failures in the security audit log, it shows guess it was ongoing system account. We see more one of, you can see:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: ALARM
Logon Type: 3
Logon Process: NtLmSsp
authentication package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: REFDOM
Password guess solution for those who intend to guess the password for the system administrator account, who is the source of the workstation name: REFDOM, this record is the name of the computer's IP address instead of his.
When we find somebody going to guess the password when you need to modify the appropriate configuration and policy. For example: The IP address restrictions, to modify the account password guess solution account name, password, and so strengthen the length of the account to deal with this.
Fourth, the precursor to detect Terminal Services
Windows2003 providing terminal control services (Telminal Service), which is a tool based Remote Desktop Protocol (RDP) to facilitate the administrator remote control, remote control is a very good tool. Control interface lets administrators use Terminal Services is very easy and convenient to use, the speed is very fast, it's as easy as let. And before the Terminal Services vulnerabilities exist input method, you can bypass the security checks to obtain system privileges. For open Terminal Services server, many prefer remote connection, take a look at the way the server (even if they do not have an account).
Terminal services generally after the system accounts guess, guess who use the account to get a remote terminal connection and log on.
Open the remote control service configuration management tool, click the "Connect", right-click RDP service you want to configure (for example, RDP-TCP (Microsoft RDP 5.0) , select the Bookmarks "permission", click "Advanced" Everyone join a group, on behalf of all users, and then review his "connection", "open", "write-off" of success and the "log in" success and failure, this is recorded in the security audit log, you can from the "Administrative tools" -> "log Viewer" to see. but this is like a log in front of the system password guess as recording the IP address of the client machine name, not the client's. we can do a simple batch bat file (the file name TerminalLog .

-n -p tcp netstat | the Find ": 3389" >> Terminal.log
Start Explorer
port terminal service using TCP 3389, The first line is the record time of user login, and this time credited to the file in Terminal.log as time field logs; second row record is the IP address of the user, using netstat command to display the current network connection status, and the record 3389 containing the port into the log file. In this way it is possible to record the IP address from each other under a 3389 connection.
To set the program to run, you can configure Terminal Services, a login script settings specified TerminalLOG.bat as a script need to open when a user logs on, so that each user login must execute this script, because the script is the default Explorer (Explorer device), so Terminal.bat the last line with the command to start the Explorer's start Explorer, if you do not add this line command, the user is no way to enter the desktop. Of course, this script can write more powerful, but please place the log files to a secure directory.
The content Terminal.log documented, with security log, we will be able to find an event or a precursor through Terminal Services.
For Windows2003 servers, the four kinds are the most common, but also the vast majority Windows2003 events. From the above analysis, we can find these precursors in a timely manner, according to the starting point of these precursor discoverer, and then take appropriate security measures to prevent persons.
We can also recognize the importance of the various event logging and auditing, security configuration server analysis from above. These log files after being who is an important goal, they will delete, and modify records, in order to erase their footprints. Therefore, for a variety of log files, we would do well to hide and set permissions protected. At the same time, just log without regularly review and analysis, then all the work is equivalent to nothing.
In security maintenance, system administrators should be vigilant and become familiar with the use of means ***, do testing and analysis of precursors, so as to take precautions to prevent the occurrence of an event.