How can I disable network (type 3) Logon

[James Button]

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Andrew Mitchell]

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

Wouldn't removing the client for microsoft networks and disabling NetBIOS
achieve this?


Andy.

 

[Guest]

Andy,

re your suggestion -

Removing the client for microsoft networks and disabling
NetBIOS to stop network sourced logins to my Win2000 Pro
system -

As I indicated - I have an understanding of system
internals which enabled me to identify that type 2 logons
are probably what I need to stop.
However I don't know how to implement the system changes
needed - hence the request for a step-by step process
Getting information logged is one thing, but what i do
want to avoid is ending up with a non-functioning system
if I start inhibiting/disabling system functions'


If possible, I would greatly appreciate it if you could
point me to a write-up on how to remove the client for
microsoft networks and disabe NetBIOS

 

[Steven L Umbach]

Uninstall file and print sharing from your computer [you don't need it
anyway], and disabled netbios over tcp in tcp/ip properties/advanced/wins.
Those may be normal null sessions that windows networking uses for things
like the browse list and since you have only one computer it would be the
master browser for your workgroup. I would be surprised if you are seeing
those events from a source other that your local computer. --- Steve

 

[Jim B]

Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have mentioned its
Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which emails are
valid, with correct links, and which are spoofed versions of common bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button

Uninstall file and print sharing from your computer [you don't need it
anyway], and disabled netbios over tcp in tcp/ip properties/advanced/wins.
Those may be normal null sessions that windows networking uses for things
like the browse list and since you have only one computer it would be the
master browser for your workgroup. I would be surprised if you are seeing
those events from a source other that your local computer. --- Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Steven L Umbach]

OK. You mentioned "Norton" and I assumed that was a firewall and maybe it is
not. A correctly configured firewall should protect you from internet
hackers trying to logon to your computer. You don't need file and print
sharing unless you are offering shares to other computers either on the lan
or over the internet via a VPN. The email issue is a whole other can of
worms. I use message rules, hardened Internet Explorer settings, Google
Toolbar pop up blocker, and my virus scanner to help me there. --- Steve

http://scan.sygatetech.com/ --- do a self scan assessment of your computer
from here.
http://www.microsoft.com/security/protect/

Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have mentioned its
Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which emails are
valid, with correct links, and which are spoofed versions of common bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button

Uninstall file and print sharing from your computer [you don't need it
anyway], and disabled netbios over tcp in tcp/ip properties/advanced/wins.
Those may be normal null sessions that windows networking uses for things
like the browse list and since you have only one computer it would be the
master browser for your workgroup. I would be surprised if you are seeing
those events from a source other that your local computer. --- Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Jim B]

Yep - It's Norton AV, gonna install a firewall soon (ASAP)
As you say - A can of worms -
It's fairly easy to deal with virus and scripts etc. unless the user can be
fooled into clicking on the wrong bit of a message
(which, from my impressions could be almost any part of a web page)
It's the sneaky ones -
as per the little x running a script,
or a link running the proper link in it's background, passing on your input,
and their output as it logs your input

I advise my associates and friends to:

Maintain a written, and printed list of their bank and other 'private' links
so they always type them in.
Never set remember for passwords
Close any unusual windows by right click on the taskbar entry (or via task
manager)
Think up some good passwords and remember them so they have some
pre-remembered before they have to use them
Never click on any links unless they are certain the source of the link is
from a recognised source,
or they are on a fully recoverable system (e.g. at the local library, or
internet cafe)
(so it will be a short while before I try the links you supplied)

Seems the only way to be half way safe is to have 2 PC's (or separate
caddy'd booting disks)
One for your personal private things, and one for exploring, research and
email etc.

Again, Thanks

James Button

OK. You mentioned "Norton" and I assumed that was a firewall and maybe it is
not. A correctly configured firewall should protect you from internet
hackers trying to logon to your computer. You don't need file and print
sharing unless you are offering shares to other computers either on the lan
or over the internet via a VPN. The email issue is a whole other can of
worms. I use message rules, hardened Internet Explorer settings, Google
Toolbar pop up blocker, and my virus scanner to help me there. --- Steve

http://scan.sygatetech.com/ --- do a self scan assessment of your computer
from here.
http://www.microsoft.com/security/protect/

Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have mentioned its
Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which emails are
valid, with correct links, and which are spoofed versions of common bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button

Uninstall file and print sharing from your computer [you don't need it
anyway], and disabled netbios over tcp in tcp/ip properties/advanced/wins.
Those may be normal null sessions that windows networking uses for things
like the browse list and since you have only one computer it would be the
master browser for your workgroup. I would be surprised if you are seeing
those events from a source other that your local computer. --- Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Steven L Umbach]

That sounds good. What I do for internet browsing is very similar to what
Windows 2003 Server uses for IE. I add my often used and highly trusted
sites to the "trusted" Web Content Zone where I set security at medium. I
set security at high for the internet zone. I set privacy [cookies] to at
least medium high and often high and again add my trusted sites to the
exempt list to allow cookies. In advanced settings I disable install on
demand third party and have temp files erased on closing the browser. The
downside is a bit of inconvenience if I am a site that does not work quite
right and I may need to temporaily relax settings, but at least if I find
myself in the wrong place due to a Google search I am pretty well protected.
Sounds like you have a good plan. --- Steve

Yep - It's Norton AV, gonna install a firewall soon (ASAP)
As you say - A can of worms -
It's fairly easy to deal with virus and scripts etc. unless the user can be
fooled into clicking on the wrong bit of a message
(which, from my impressions could be almost any part of a web page)
It's the sneaky ones -
as per the little x running a script,
or a link running the proper link in it's background, passing on your input,
and their output as it logs your input

I advise my associates and friends to:

Maintain a written, and printed list of their bank and other 'private' links
so they always type them in.
Never set remember for passwords
Close any unusual windows by right click on the taskbar entry (or via task
manager)
Think up some good passwords and remember them so they have some
pre-remembered before they have to use them
Never click on any links unless they are certain the source of the link is
from a recognised source,
or they are on a fully recoverable system (e.g. at the local library, or
internet cafe)
(so it will be a short while before I try the links you supplied)

Seems the only way to be half way safe is to have 2 PC's (or separate
caddy'd booting disks)
One for your personal private things, and one for exploring, research and
email etc.

Again, Thanks

James Button

OK. You mentioned "Norton" and I assumed that was a firewall and maybe

it

is
not. A correctly configured firewall should protect you from internet
hackers trying to logon to your computer. You don't need file and print
sharing unless you are offering shares to other computers either on the lan
or over the internet via a VPN. The email issue is a whole other can of
worms. I use message rules, hardened Internet Explorer settings, Google
Toolbar pop up blocker, and my virus scanner to help me there. --- Steve

http://scan.sygatetech.com/ --- do a self scan assessment of your computer
from here.
http://www.microsoft.com/security/protect/

Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have mentioned its
Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which

emails
are

valid, with correct links, and which are spoofed versions of common bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button


Uninstall file and print sharing from your computer [you don't need it
anyway], and disabled netbios over tcp in tcp/ip properties/advanced/wins.
Those may be normal null sessions that windows networking uses for things
like the browse list and since you have only one computer it would

be
the

master browser for your workgroup. I would be surprised if you are seeing
those events from a source other that your local computer. --- Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Jim B]

Steven,

Thanks for the IE advice - I'll have to think about that:-
My concern is that if something gets at the favourites links it may
harvest, and modify the links.

I'm currently looking at the KB for information on how to
disable/uninstall/whatever the TCP ports -
If I can't find anything useful I'll probably have to get a firewall maybe
even abuse the plastic and buy one

-------------------------------------------

Advice for all those who have got to the point where they rely on their PC
for daily use,
and have others (The children?) who also use the PC -
I find the caddy idea is great for when the main PC has been hit by a system
wiping virus or just had loads of the windows system files wiped -

Either use a floppy or CD to boot and run a partition copy facility to copy
my working copy of c: to the base drive,
or - set the PC so it boots from the caddy drive if it's inserted
(Primary (0) IDE cable for the caddy drive, and the secondary (1) for
the normal drive)
Then I can take MY copy of the OS out of the safe, re-place the damaged C:
or just run my work, and lock the drive away again
without using the copy of the OS that has been used for whatever the
family wanted to play with

- Not forgetting the backup/recovery diskettes for the BIOS, and hard drive
partitioning
and to keep each user's data on a separate logical drive - nothing on C:
that doesn't form part of the OS
Folder of shortcut on the desktop to the users data wherever it is so the
user can easily copy the entries from their 'My Documents' area -
It can be veerrrrry annoying to lose your profile, and have windows actually
delete the "Documents and Settings" folder complete with all the user data.


Thanks again

James Button

P.S. Still no more access attempts - looks like all I had to do was follow
your advice -
but I would still like to have the PC totally impervious to
intrusion attempts.


------------------------------------------------------

That sounds good. What I do for internet browsing is very similar to what
Windows 2003 Server uses for IE. I add my often used and highly trusted
sites to the "trusted" Web Content Zone where I set security at medium. I
set security at high for the internet zone. I set privacy [cookies] to at
least medium high and often high and again add my trusted sites to the
exempt list to allow cookies. In advanced settings I disable install on
demand third party and have temp files erased on closing the browser. The
downside is a bit of inconvenience if I am a site that does not work quite
right and I may need to temporaily relax settings, but at least if I find
myself in the wrong place due to a Google search I am pretty well protected.
Sounds like you have a good plan. --- Steve

Yep - It's Norton AV, gonna install a firewall soon (ASAP)
As you say - A can of worms -
It's fairly easy to deal with virus and scripts etc. unless the user can be
fooled into clicking on the wrong bit of a message
(which, from my impressions could be almost any part of a web page)
It's the sneaky ones -
as per the little x running a script,
or a link running the proper link in it's background, passing on your input,
and their output as it logs your input

I advise my associates and friends to:

Maintain a written, and printed list of their bank and other 'private' links
so they always type them in.
Never set remember for passwords
Close any unusual windows by right click on the taskbar entry (or via task
manager)
Think up some good passwords and remember them so they have some
pre-remembered before they have to use them
Never click on any links unless they are certain the source of the link is
from a recognised source,
or they are on a fully recoverable system (e.g. at the local library, or
internet cafe)
(so it will be a short while before I try the links you supplied)

Seems the only way to be half way safe is to have 2 PC's (or separate
caddy'd booting disks)
One for your personal private things, and one for exploring, research and
email etc.

Again, Thanks

James Button

OK. You mentioned "Norton" and I assumed that was a firewall and maybe

it

is
not. A correctly configured firewall should protect you from internet
hackers trying to logon to your computer. You don't need file and print
sharing unless you are offering shares to other computers either on

the
lan

or over the internet via a VPN. The email issue is a whole other can of
worms. I use message rules, hardened Internet Explorer settings, Google
Toolbar pop up blocker, and my virus scanner to help me there. --- Steve

http://scan.sygatetech.com/ --- do a self scan assessment of your computer
from here.
http://www.microsoft.com/security/protect/


Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have

mentioned
its

Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which emails
are
valid, with correct links, and which are spoofed versions of common
bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button


Uninstall file and print sharing from your computer [you don't

need

it

anyway], and disabled netbios over tcp in tcp/ip
properties/advanced/wins.
Those may be normal null sessions that windows networking uses for
things
like the browse list and since you have only one computer it would be
the
master browser for your workgroup. I would be surprised if you are
seeing
those events from a source other that your local computer. --- Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Steven Umbach]

Hi James.

There are free personal firewalls that work well. Zone Alarm is easy to
configure while Sygate and Kerio have more advanced features. I am not too fond
of the new Kerio firewall. To close ports you basically have to disable the
associated service and then you block the ones you need with a firewall or port
filtering. If you have not tried it yet the Microsoft Baseline Security Analyzer
will scan your computer and question you on services you may not need such as
telnet or web/ftp services. I prefer a firewall, however you can also use built
in ipsec filtering to protect your W2K computer. See the links below on that
one. I like your disaster recovery plan as most do not have one. I personally
keep a spare hard drive with a base installation ready to go and also use Norton
Ghost which is good stuff and comes with SystemWorks [bought mine at New Egg for
$23]. I had TWO hard drive failures on the main family computer in three
eeks. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;813878
http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Steven,

Thanks for the IE advice - I'll have to think about that:-
My concern is that if something gets at the favourites links it may
harvest, and modify the links.

I'm currently looking at the KB for information on how to
disable/uninstall/whatever the TCP ports -
If I can't find anything useful I'll probably have to get a firewall maybe
even abuse the plastic and buy one

-------------------------------------------

Advice for all those who have got to the point where they rely on their PC
for daily use,
and have others (The children?) who also use the PC -
I find the caddy idea is great for when the main PC has been hit by a system
wiping virus or just had loads of the windows system files wiped -

Either use a floppy or CD to boot and run a partition copy facility to copy
my working copy of c: to the base drive,
or - set the PC so it boots from the caddy drive if it's inserted
(Primary (0) IDE cable for the caddy drive, and the secondary (1) for
the normal drive)
Then I can take MY copy of the OS out of the safe, re-place the damaged C:
or just run my work, and lock the drive away again
without using the copy of the OS that has been used for whatever the
family wanted to play with

- Not forgetting the backup/recovery diskettes for the BIOS, and hard drive
partitioning
and to keep each user's data on a separate logical drive - nothing on C:
that doesn't form part of the OS
Folder of shortcut on the desktop to the users data wherever it is so the
user can easily copy the entries from their 'My Documents' area -
It can be veerrrrry annoying to lose your profile, and have windows actually
delete the "Documents and Settings" folder complete with all the user data.


Thanks again

James Button

P.S. Still no more access attempts - looks like all I had to do was follow
your advice -
but I would still like to have the PC totally impervious to
intrusion attempts.


------------------------------------------------------

That sounds good. What I do for internet browsing is very similar to what
Windows 2003 Server uses for IE. I add my often used and highly trusted
sites to the "trusted" Web Content Zone where I set security at medium. I
set security at high for the internet zone. I set privacy [cookies] to at
least medium high and often high and again add my trusted sites to the
exempt list to allow cookies. In advanced settings I disable install on
demand third party and have temp files erased on closing the browser. The
downside is a bit of inconvenience if I am a site that does not work quite
right and I may need to temporaily relax settings, but at least if I find
myself in the wrong place due to a Google search I am pretty well protected.
Sounds like you have a good plan. --- Steve

Yep - It's Norton AV, gonna install a firewall soon (ASAP)
As you say - A can of worms -
It's fairly easy to deal with virus and scripts etc. unless the user can be
fooled into clicking on the wrong bit of a message
(which, from my impressions could be almost any part of a web page)
It's the sneaky ones -
as per the little x running a script,
or a link running the proper link in it's background, passing on your input,
and their output as it logs your input

I advise my associates and friends to:

Maintain a written, and printed list of their bank and other 'private' links
so they always type them in.
Never set remember for passwords
Close any unusual windows by right click on the taskbar entry (or via task
manager)
Think up some good passwords and remember them so they have some
pre-remembered before they have to use them
Never click on any links unless they are certain the source of the link is
from a recognised source,
or they are on a fully recoverable system (e.g. at the local library, or
internet cafe)
(so it will be a short while before I try the links you supplied)

Seems the only way to be half way safe is to have 2 PC's (or separate
caddy'd booting disks)
One for your personal private things, and one for exploring, research and
email etc.

Again, Thanks

James Button



OK. You mentioned "Norton" and I assumed that was a firewall and maybe it
is
not. A correctly configured firewall should protect you from internet
hackers trying to logon to your computer. You don't need file and print
sharing unless you are offering shares to other computers either on the
lan
or over the internet via a VPN. The email issue is a whole other can of
worms. I use message rules, hardened Internet Explorer settings, Google
Toolbar pop up blocker, and my virus scanner to help me there. --- Steve

http://scan.sygatetech.com/ --- do a self scan assessment of your
computer
from here.
http://www.microsoft.com/security/protect/


Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have mentioned
its
Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which emails
are
valid, with correct links, and which are spoofed versions of common
bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button


Uninstall file and print sharing from your computer [you don't

need

it
anyway], and disabled netbios over tcp in tcp/ip
properties/advanced/wins.
Those may be normal null sessions that windows networking uses for
things
like the browse list and since you have only one computer it would be
the
master browser for your workgroup. I would be surprised if you are
seeing
those events from a source other that your local computer. --- Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.

 

[Jim B]

Steve,
Thanks again - more good advice

Having looked through some of the item threads in this forum, rather than my
initial scan for anything like my needs,
I feel that you deserve a heartfelt thanks for your informative and helpful
contributions.

I'm going to go away now and inflict some pain on my brain following up the
links you provided, and the (probably less useful) links I found in the MS
knowledgebase (some seem to indicate that I cannot just close off some
ports, they need to be - the wonderful phrased 'variably stealthed'.


Regards, and grateful thanks again

James Button

Hi James.

There are free personal firewalls that work well. Zone Alarm is easy to
configure while Sygate and Kerio have more advanced features. I am not too fond
of the new Kerio firewall. To close ports you basically have to disable the
associated service and then you block the ones you need with a firewall or port
filtering. If you have not tried it yet the Microsoft Baseline Security Analyzer
will scan your computer and question you on services you may not need such as
telnet or web/ftp services. I prefer a firewall, however you can also use built
in ipsec filtering to protect your W2K computer. See the links below on that
one. I like your disaster recovery plan as most do not have one. I personally
keep a spare hard drive with a base installation ready to go and also use Norton
Ghost which is good stuff and comes with SystemWorks [bought mine at New Egg for
$23]. I had TWO hard drive failures on the main family computer in three
eeks. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;813878
http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Steven,

Thanks for the IE advice - I'll have to think about that:-
My concern is that if something gets at the favourites links it may
harvest, and modify the links.

I'm currently looking at the KB for information on how to
disable/uninstall/whatever the TCP ports -
If I can't find anything useful I'll probably have to get a firewall maybe
even abuse the plastic and buy one

-------------------------------------------

Advice for all those who have got to the point where they rely on their PC
for daily use,
and have others (The children?) who also use the PC -
I find the caddy idea is great for when the main PC has been hit by a system
wiping virus or just had loads of the windows system files wiped -

Either use a floppy or CD to boot and run a partition copy facility to copy
my working copy of c: to the base drive,
or - set the PC so it boots from the caddy drive if it's inserted
(Primary (0) IDE cable for the caddy drive, and the secondary (1) for
the normal drive)
Then I can take MY copy of the OS out of the safe, re-place the damaged C:
or just run my work, and lock the drive away again
without using the copy of the OS that has been used for whatever the
family wanted to play with

- Not forgetting the backup/recovery diskettes for the BIOS, and hard drive
partitioning
and to keep each user's data on a separate logical drive - nothing on C:
that doesn't form part of the OS
Folder of shortcut on the desktop to the users data wherever it is so the
user can easily copy the entries from their 'My Documents' area -
It can be veerrrrry annoying to lose your profile, and have windows actually
delete the "Documents and Settings" folder complete with all the user data.


Thanks again

James Button

P.S. Still no more access attempts - looks like all I had to do was follow
your advice -
but I would still like to have the PC totally impervious to
intrusion attempts.


------------------------------------------------------

That sounds good. What I do for internet browsing is very similar to what
Windows 2003 Server uses for IE. I add my often used and highly trusted
sites to the "trusted" Web Content Zone where I set security at medium. I
set security at high for the internet zone. I set privacy [cookies] to at
least medium high and often high and again add my trusted sites to the
exempt list to allow cookies. In advanced settings I disable install on
demand third party and have temp files erased on closing the browser. The
downside is a bit of inconvenience if I am a site that does not work quite
right and I may need to temporaily relax settings, but at least if I find
myself in the wrong place due to a Google search I am pretty well protected.
Sounds like you have a good plan. --- Steve


Yep - It's Norton AV, gonna install a firewall soon (ASAP)
As you say - A can of worms -
It's fairly easy to deal with virus and scripts etc. unless the user can
be
fooled into clicking on the wrong bit of a message
(which, from my impressions could be almost any part of a web page)
It's the sneaky ones -
as per the little x running a script,
or a link running the proper link in it's background, passing on your
input,
and their output as it logs your input

I advise my associates and friends to:

Maintain a written, and printed list of their bank and other 'private'
links
so they always type them in.
Never set remember for passwords
Close any unusual windows by right click on the taskbar entry (or

via
task

manager)
Think up some good passwords and remember them so they have some
pre-remembered before they have to use them
Never click on any links unless they are certain the source of the

link
is

from a recognised source,
or they are on a fully recoverable system (e.g. at the local library,
or
internet cafe)
(so it will be a short while before I try the links you supplied)

Seems the only way to be half way safe is to have 2 PC's (or separate
caddy'd booting disks)
One for your personal private things, and one for exploring, research
and
email etc.

Again, Thanks

James Button



OK. You mentioned "Norton" and I assumed that was a firewall and maybe
it
is
not. A correctly configured firewall should protect you from internet
hackers trying to logon to your computer. You don't need file and print
sharing unless you are offering shares to other computers either

on
the

lan
or over the internet via a VPN. The email issue is a whole other

can
of

worms. I use message rules, hardened Internet Explorer settings, Google
Toolbar pop up blocker, and my virus scanner to help me here. ---
Steve

http://scan.sygatetech.com/ --- do a self scan assessment of your
computer
from here.
http://www.microsoft.com/security/protect/


Steve, Andy,

Thanks for the response - I've done the NetBIOS Uninstall, and
hopefully
that will stop those intrusion attempts
(when I said the PC was stand-alone - I should, perhaps have mentioned
its
Broadband connection)

Hopefully, having re-booted, that intrusion path in will be shut off
(I'd already got the sharing - and 'NOT SHARED' all the drives).
(30 minutes now, and nothing naughty showing in the event log)

Now it's on to trying to find an automated way to determine which
emails
are
valid, with correct links, and which are spoofed versions of common
bulletin
board distributions with links to spamming and other naughty sites.

Regards to all

James Button


Uninstall file and print sharing from your computer [you don't need
it
anyway], and disabled netbios over tcp in tcp/ip
properties/advanced/wins.
Those may be normal null sessions that windows networking uses for
things
like the browse list and since you have only one computer it would
be
the
master browser for your workgroup. I would be surprised if you are
seeing
those events from a source other that your local omputer. ---
Steve

My stand-alone win2000 pro/Norton system is being probed
with logon attempts trying Administrator, and NT AUTHORITY
SYSTEM and ANONYMOUS.

As this system is stand-alone, and should not be accessed
via the lan or internet, it would appear that the logical
thing is to disable all logon types except for
the 'Interactive' Type 2

While I am familiar with systems internals, I do not know
the windows structures and controls, so could somebody
Please, pretty, pretty please, provide either a link to a
MS article detailing the process, or step by step process
to disable all types except the keyboard /screen
interactive logon.