security logs

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Remote Desktop to a machine that is 802.1x authenticated (wired ca When I do a remote desktop to machine that is 802.1x authenticated by an user, machine authentication begins leading to logout of earlier logged in user. Due to some reason the machine is not able to logged in leading to blocking of port . I am using IAS on Widows 2000 server as Radius server. I have a Windows XP machine as my endhost which is to be authenticated and the configured authentication type for 802.1x authentication on my machine is PEAP-MS-CHAP v2. And Nevis Switch acts as authenticator. I could find such an issue reported on Microsoft's site but it is for wireless case. Check the same at :- http://www.microsoft.com/technet/network/wifi/wififaq.mspx In Microsoft's words:- Q. Do Remote Desktop connections work to Windows wireless clients that use 802.1X authentication? A. Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in Windows Vista and Windows Server â??Longhorn.â?? So is the issue valid for wired networks as well (I feel wired/wireless should not be an issue as supplicant behavior would be the same)? If the issue if known, is there or will there be any hotfix to avoid this behavior for Windows-XP ? If so, I would like to know to what all Windows OS it affects. Tag: security logs Tag: 93210
  - 2
    - User's Effective Permissions on Domain? Is it possible to inventory a user's effective permissions on network resources (servers & folders & websites) in the user's domain?. For example, Server A and Server B have multiple shares. Person 1 may have read access to a share on A and is a local admin on B. Person 2 may have read access for only 1 of the shares on Server B, etc. Persons 1 and 2 also have read access to folders X and Y on ReportServer R through IIS/windows authentication. These permissions can accumulate through any number of groups or individual permission settings, with increasing complexity. At some point, managers ask: Can you tell me what Joe User has access to? Are there third party security tools that do this? Microsoft analyzers? Not a chance? Any help appreciated. Thanks. Tag: security logs Tag: 93198
  - 3
    - IEEE 802.1x for Domain user accounts only Hi all, I've just started working with the 802.1x authentication and it's brilliant. The scenario I'm looking into implementing is to enable the 802.1x authentication for specific domain accounts on a number of mobile computers. The laptop computers contain a number of accounts, some being domain and local accounts. I'd like the 802.1x authentication to be enabled only when the user logs into his domain account (which obviously will be locally cached). If the user logs into the local user account, 802.1x should be disabled. Can this be done using group policies or any other 3rd party tool ? Any feedback/suggestions are highly appreciated. Thank you. Tag: security logs Tag: 93190
  - 4
    - Network security Here's my situation. In normal operation, my windows network resides behind a reasnably robust firewall. I use static IP addresses throughout my organization for an extra layer of security (no DHCP clients). In addition, I have employed standard windows best practices for security throughout my organization. Because of a special event being held on Tuesday and Wednesday of this week I have been forced to activate a DHCP server and allow people to use my network for Internet connectivity. Is there any way that I can authorize the DHCP server to distribute DHCP addresses and then block those addresses from being able to access any of my network resources (outside of the firewall/router)? I'm sure it goes without saying that the information on my network is highly confidential. Basically, here's what I need: Maintain the current network topography (no time to implement new routers/etc...) Assign addresses through DHCP to random computers attaching directly to my network. Block those Addresses from access to all network resources except the internet/router. Any help you can provide will be greatly appreciated. By the way, I do have a reasonable understanding of technical items (MCSE NT4), but I'm relatively new to the Windows 2000/AD world. Chris Guynn Tag: security logs Tag: 93188
  - 5
    - Duplicate Administrator accounts I have accidentally created an "administrator" account which doesn't have administrator privileges. When i try to log on as administrator I end up logged onto the wrong one and i can't find any way of really logging on as administrator. No other account belongs to the administrator group so I'm in trouble Tag: security logs Tag: 93184
  - 6
    - mcrdsvc.exe is running at 50%+ at all times now... What to do? I have a problem that has only started over the last week or so and I can't seem to find a way to stop it. I have Media Center and the mcrdsvc.exe is showing up in taskmanager running at 50% cpu and higher at all times. I have turned off all other media center services and tried turning it off but it always comes back on and immediately starts running at 50%+. I also noticed it is running as a Local Service and not as a system service. I ran virus scanners, trojan scanners and even searched fo rte file thinking there might be a hidden one calling itself the same name in disguise, but haven't hit anything. Has anyone had this issue or know what could be causing it? I can't run any programs because it is taking all my resources. My system is a Pentium D 3.Ghz, 4Gb Ram a Radeon X1600 Pro Win Media center 2005. I scan downloads when I get them and have not that I can find gotten infected but anything is possible. I also did searches for anything related to this file and nothing comes up suspicious. Thank You, Jim C. Tag: security logs Tag: 93182
  - 7
    - Latest Matrox PowerDesk SE distributes vulnerable DLLs Hi @ll, if you happen to have a Matrox video card and are going to install their just released latest and greatest, WHQL-certified, unified PowerDesk SE driver "xp2k_204_00_179_se_u_whql.exe": this will install the two outdated and long replaced since MSXML4.DLL and MSXML4R.DLL, at least if you dont have MSXML4 already installed. See MSKB 927978/925627 a.k.a MS06-071. To quote the XML team from <http://blogs.msdn.com/xmlteam/archive/2006/10/23/using-the-right-version-of-msxml-in-internet-explorer.aspx> | MSXML 4.0 was released to the web about 5 years ago, but at this | point has been superseded by MSXML 6.0 and is only intended to | support legacy applications See also: <http://blogs.msdn.com/xmlteam/archive/2007/03/12/msxml4-is-going-to-be-kill-bit-ed.aspx> How can such $%*@§# pass the WHQL tests? Stefan Tag: security logs Tag: 93181
  - 8
    - sending spam I have started receiving lots of undeliverable or blocked mail to variouse email addresses, which I know is some kind of spam or virus. as this is a company email account, I need to get rid of it quick, before any combacks. Please help. Thank you Tag: security logs Tag: 93179
  - 9
    - Where to download a free network commands package ? Hi everybody, I just come from the DNS Stuff Web site (www.dnsstuff.com) and I would like to have the same functionnalities installed on my computer : if DNS Stuff is not joignable or if one day they stop their service or for any other reason, I want the commands on my computer. Here are the DNS Stuff functionnalities : DNS Report DNS Timing WHOIS Lookup Spam Database Lookup Reverse DNS lookup IPWHOIS Lookup IP Information DNS Lookup Traceroute (already in Windows) Ping (already in Windows) ISP Cached DNS Lookup Abuse Lookup URL DEOBFUSCATOR Free E-mail Lookup Decimal IPs CIDR/Netmask E-mail Test CSE HTML Validator I am interested in a package of invidual command line commands or better, a graphical application which do all of these. I just want it to be free. If such a package exist, I will save a lot of time searching separately for all the commands. Thanks in advance. Tag: security logs Tag: 93173
  - 10
    - Forcing users to log into Domain account when in workplace Hi all, I've got network with Windows 2003 servers and Active Directory installed. Workstations are mostly mobile users who take their laptops home during the night, and return the next day to work at the office. All laptops have two general accounts created, one local and one domain account. The local account is for the users to work on when at home, while the domain account is for them to use when in the office. I'm now looking into a solution that will 'force' the user to log into the domain account when in the office, not allowing him to access the local account for security reasons. I've been searching for a clear answer, but there seems to be some type of confusion on the topic. If anyone can provide any suggestions or point me toward sources which contain information that allow me to perform the above, it would be highly appreciated! Thanks again, Tag: security logs Tag: 93168
  - 11
    - Windows 2003 Standard Server- Enterprise CA - EFS Hey all, I'm trying to get EFS set up for all of our client laptops and have run into a road block. I have configured one of our domain controllers as an Enterprise CA so I could autoenroll computers for EFS. I set the default domain policy to add the Root Enterprise certificate to the "Trusted Root Certification Authorities", but when I attempt to add a new Automatic Certificate Request--> Computer, my enterprise (root) CA is not in the list. >From what I've read, a Win2003 Std Svr set as an Enterprise CA should be able to issue computer autoenrollment certificates. What am I missing? If I do get this working, will this allow me to use EFS on our clients, or do I need User certs for that (and Enterprise Edition)? Thanks in advance, Sean Tag: security logs Tag: 93155
  - 12
    - Giving access to a share folder in domain A to users in Domain B Hello everyone, I'm not sure if I'm in the right forum or not but I will try anyway. I will explain a bit the context of the problem. We are about to migrate our NT4 domain to a new 2003 domain (new domain name on a new server). There is currently a dual domain trust between the 2 domains to ease the migration process. Everything works fine until I try to share a folder in NT4 domain. Let's say I have a local group "sales" in NT4 and a global security group "sales" in AD. The group "Sales" in NT4 has access to a share folder named "CLIENTS". The thing I did was to add the AD's "Sales" group into the NT4's "sales" group (member of it) thinking the AD "sales" group would have the same access as the NT4's "sales" group. Unfortunately it didn't work. I'm probably missing something there because if I add a user or a group from AD's domain directly in the "CLIENTS" folder sharing permission it works. Basically I want both "sales" groups in both domains to have the same access on a file server member of the NT4 domain. Is it possible to do so without changing each folders permissions? Anyone has an idea? I hope I explained it correctly. Tag: security logs Tag: 93144
  - 13
    - IIS Metabase Events Hello. I'm looking for some help on deciphering IIS Metabase Event messages 4500 thru 4512. I was hoping to get some detailed definitions for each of these. The info I got from the Microsoft site is very generalized. We are trying to find out what event triggers these messages so we can know who and what caused these events. Any help will be greatly appreciated. Thanx, Tony Tag: security logs Tag: 93143
  - 14
    - Email from Microsoft (?) Hi all, I've recently signed up to receive the MS newsletters and alerts so that I can start to learn more about security issues in depth. Once I'm past my SBS exam I intend to take courses in the security side, but for now I'm no expert and relatively new to the "MS way" ... I received an email this morning claiming to be from Microsoft with the subject "Microsoft Security Bulletin Minor Revisions". It doesn't look professional, beginning with text ... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************************************************************** Title: Microsoft Security Bulletin Minor Revisions Issued: May 16, 2007 ******************************************************************** Summary ======= The following bulletins have undergone a minor revision increment. Please see the appropriate bulletin for more details. * MS07-027 * MS07-025 * MS07-023 Bulletin Information: ===================== * MS07-027 - http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx - Reason for Revision: Bulletin revised due to an incorrect file name in Arbitrary File Rewrite Vulnerability - CVE-2007-2221 killbit table; A new issue discovered with the security update: 937409 The "File Download - Security Warning" dialog box opens when you try to open Internet Explorer 7; Updated file names for Internet Explorer 7 - Originally posted: May 8, 2007 - Updated: May 16, 2007 - Bulletin Severity Rating: Critical - Version: 1.2 Anyway - I wondered 2 things ... 1. How do I check that it's actually from Microsoft and not a spoofed send address (I have SBS2003 R2 SP2 installed but I haven't yet configured the IMF to check the Sender ID - how do I check that manually ?) 2. How do I check that the links in the email actually point to where they say they point to (ok I have IE7 which SHOULD prevent phishing attacks right? but again I'm interested to know how to assure myself manually) Thanks all. Sorry if these are dumb questions or posted in the wrong place. Tag: security logs Tag: 93136
  - 15
    - Infected w-svhost / worm_rbot.ffx I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the system32 folder. I let it clean. I have not rebooted yet. I googled and most entries say svhost.exe is a bogus file with a worm in it. Some posts said it was a valid process that causes problems after an MS update. I'm confused. I found the file svhost.exe and checked properties -- no version or manufacturer. Its creation date was 2/15/2006 and modification date was 8/10/2004. My computer software was first loaded on 2/15/2006. I use MCE 2005 / XP SP2 with updates. Questions: 1. Is it a worm or a valid MS component? 2. Am I safe to reboot? 3. What other security measures should I take? Thank you for your assistance. -- *rain*drops* Tag: security logs Tag: 93130
  - 16
    - AD 2003 Password Complexity and French Keyboard drivers Hello, figured I'd throw this around here before buying an answer. I've got an international client who are having trouble with password complexity, particularly in non-english countries (France, Italy) using their countries Windows kb drivers and keyboards. AD Default Domain Policy has the password complexity set to Disabled. The servers are using Microsoft's passflt.dll to enforce complexity. Passwords be 6 in length, 1 day in age. HD personnel sets a French user's password to "Monde7" with password change required. The user logs in and is prompted for a change, but won't accept any passwords that match the standard complexity rules (tried many things like Friends1, !Friends^, ILtheBA!!, but all to no avail). 1. Just what really are the hard, true password rules from Microsoft on complexity - their published information is incorrect. 2. Is anyone having problems with password complexity simply because of different national keyboard drivers and layouts? The two unusual things here are that I'm not experienced with using complexity, except for on my NT4 or older servers, being controlled by anything except AD policy, and I've not had any great depth supporting world wide users with Microsoft products. Thanks in advance for your input! Tag: security logs Tag: 93125
  - 17
    - SSL Encryption What happens if I 1. Encrypt a message with SSL 2. Send it over the internet 3. A couple of bytes get corrupted. Would that prevent me from decrypting the entire message? -- Arne Garvander Certified .Net Geek Professional Data Dude Tag: security logs Tag: 93121
  - 18
    - SSL Security IS x.509 certificate the same as Public/private key pair? -- Arne Garvander Certified .Net Geek Professional Data Dude Tag: security logs Tag: 93120
  - 19
    - Stack smashing/buffer overflow research Hi, let me start by apologising if these are the wrong groups to post these kinds of messages to (I've cross-posted) but after searching the web and not finding any good material I thought there might be someone here who know. I'm a student and I'm currently working on a small project dealing with stack smashing/buffer overflows and protection mechanisms in modern OSes, the idea is to make a survey of the different techniques that can be used to protect an application against these kinds of attacks. On the Windows side I have identified three mechanisms that I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). Since I'm not a security expert I can't see any way that I might be able to circumvent any of those (even less so all of them together) but I know there are people working with these kinds of things (whatever their intentions are) so what I'm asking is, if there are any known and published stack smashing/buffer overflow attacks that can successfully circumvent the techniques mentioned above (either just one of them or a combination). Any information will be greatly appreciated. PS: Mind the cross-posting when replying -- Erik Wikstr=F6m Tag: security logs Tag: 93112
  - 20
    - bios password security I have heard, and want to know if any truth to it, that removing the cmos battery will allow access to a laptop that was protected by a bios password?? Tag: security logs Tag: 93110
  - 21
    - track netbios to ip addres hi, is there an easy way to track down a rouge netbios broadbaster on our subnet? for example, our clients are all set to workgroup "ABCD". and someone bring in their home computer set to "MSHOME" or "Workgroup". It there an easier way to trace what ip address of that workstation is other than sniffing and looking at packets? Tag: security logs Tag: 93108
  - 22
    - PC Pitstop does anyone have experience with PC Pitstop optimizing software? good or bad? useful and worth $30 or is there something better? mark gill Tag: security logs Tag: 93106
  - 23
    - Free PKI Smart Cards & CSP for Microsoft Newsgroup Participants Hello In response to the growing interest in Smart Cards & PKI in Windows, the company I work for, SCsquare Ltd. is willing to ship FREE-OF-CHARGE CSP Sample kits, each including 3 PKI Smart Cards and 1 CSP Installation CD. To obtain the package, send your precise shipment & company details to support@scsquare.com Please note in the body of the message that you are responding to the "Microsoft newsgroup participants special offer". I hope this helps bring smart card technologies to prominence. Eyal W. Tag: security logs Tag: 93101
  - 24
    - unwelcome website I keep having an http website popping onto my screen every couple of minutes and a scipt error at about the same frequency, they appear to be linked , it is a chinese site and very irritating, any help much appreciated. Tag: security logs Tag: 93100
  - 25
    - Access to a specific IP for only 2 users Hello. I have a specific IP address and I want that only 2 users may access to it. It's it possible? Regards, Marco Tag: security logs Tag: 93099
- Next
  - 1
    - NTFS Encryption Hi, I am trying to store the certificates for NTFS Encryption on the smartcards of my user. It took me quite long to find a CSP which is capable of doing so. So far it is working now but now I have some questions regarding NTFS encryption. Im am still experimenting around. First I create an encrypted folder, then I export the encryption certificate and import it into the smartcard and delete the certificate from the windows store. If I now log off and on I can only access the encrypted folder if the smartcard is inserted into the reader. The problem here is that as soon I create a new encrypted folder windows does not use the existing encryption certificate but generates a new one. So I would require to have for every encrypted folder a seperate smart card. Any thoughts how I can optimize this? As I mentioned above I currently move the windows generated encryption certificate from the windows store to the card. It would be much more elegant if I could generate my own certificates and windows uses them for encryption. I know that the certificate requires the "File System Encryption" Attribute. In fact some of the certificates I generated do work fine and other are just ignored by windows. Is there somewhere a document about the requirements of an encryption certificate available? Kind Regards Your M&M Tag: security logs Tag: 93092
  - 2
    - avg versus avast is it a good idea to have both avg and avast running on xp? is one better than the other? i have both, but avast causes startup to be soooo slow. mark gill Tag: security logs Tag: 93087
  - 3
    - Ntbackup stopped working The whole back bone of security is your ability to back up important files, etc.. before you need to. But if the ntbackup utility does not work, then what is the point of using it... It should be an embarrassment to someone at MS. It worked flawlessly for the dozen or so times I have used it over the last year. Now, it suddenly stopped working. I tap on the shortcut icon and it just sits there...sputters and fizzles a bit...then goes silent. I have uninstalled and reinstalled it about 10 times, with a registry clean out between each install. I have loaded it fresh from the i386 folder on my hard drive and the install CD. I have done a sfc /scannow cmd a few times to see if that might be the problem. I have snooped around the Administrative tool services for some clue...to see if there was the "usual" box with or without a tick mark, where there wasn't or was one before...no clues. I have gone down the list of services to see which have been arbitrarily enabled or disabled... Nothing has worked...and now I have a pile of previously saved files, I can no longer use and must delete to save space... Why must we go begging on these fora when perfectly good, well paid, MS technicians should be able to solve the problem and post a solution in the usual place! We are constantly paying to clean up after someone else's issue... Tag: security logs Tag: 93085
  - 4
    - New ISS Forum Hey all. Taurus here with a new forum called "Spread the Word!" Come check it out. Its all about Information Systems Security. Sharing of knowledge is encouraged. New and upcoming so join and Spread the Word! Chat, Games, PM's and contest to come along with the following. Even if you don't register now, start posting and lets get the site growing. Pass on the URL to a friend. Thanx! http://www.freepowerboards.com/isstoday/portal.php "The greatest weapon against attack is unity in numbers. Train and fight together." P.S. Moderators needed...check the site for info Hope I'm not intruding on your group. If I am please let me know and I will remove my post. Tag: security logs Tag: 93081
  - 5
    - New Information Systems Security Forum Hey all. Taurus here with a new forum called "Spread the Word!" Come check it out. Its all about Information Systems Security. Sharing of knowledge is encouraged. New and upcoming so join and Spread the Word! Chat, Games, PM's and contest to come along with the following. Even if you don't register now, start posting and lets get the site growing. Pass on the URL to a friend. Thanx! http://www.freepowerboards.com/isstoday/portal.php "The greatest weapon against attack is unity in numbers. Train and fight together." P.S. Moderators needed...check the site for info Tag: security logs Tag: 93080
  - 6
    - wireless key stored in Windows Hi, Anyone knows where does windows stores the wireless key. I know tools such as wirelesskeyview can retrieve stored key. Is there any way i can find out where are those keys stored on the machine thanks Tag: security logs Tag: 93076
  - 7
    - Cost Effective Privacy Solutions x-no-archive:yes Web and Usenet Surfing Best Cost Effective Solution? Having looked at www.findnot.com service $295-00 Usd per year once they have got your money you have no control over the customer service you get or chance of refund too They offer a New service Privacy at Broadband speeds? Is it worth it they do keep logs for 5 days so they say. The best way is to use "Onion" peeling method Tor this is extremely slow then there is "Clouds" by Att& T research Not sure on this one seems extremely complicated. Secursurf by Securestar for 80 Euros a year I am told this can be slow. Firefox Browser have also introduced an Add On Privacy Extension Usenetserver for Usenet encryted. Anyone know whats the best solution without tremedous complication and expense? SSelfPity Tag: security logs Tag: 93072
  - 8
    - Security Setting Hi, I'm getting the following error message when I trried to compile my c program in using MS Visual C++ .Net IDE. "The user's security settings prevent the process from being created." "These settings are required for building" I guess there must be security setting that must be done in Windows XP Pro (in which I'm running). I tried many ways, but nothing seems to be helping. Tag: security logs Tag: 93071
  - 9
    - Windows Firewall/Norton IS removal I uninstalled Norton IS 2005 with their removal tool from the Symantec site. It seemed to do a good job and all was well.However, my "Windows Security Center" still says "NortonInternet Security is currenlty ON." I've deleted all the residueSymantec/Norton folders left on my drive by the removal tool and haveremoved almost all of the Norton/Symantec registry items. Any help, please? Thanks! Tag: security logs Tag: 93070
  - 10
    - Masses of 529 Errors! I have often seen these errors in the security log at the rate of up to hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of them. Is this something I should be worrying about? Obviously the fact that I know about it means that who/whatever is doing this is unsuccessful. Below is pasted one of the events: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 11/05/2007 Time: 10:20:37 PM User: NT AUTHORITY\SYSTEM Computer: <my sbs server> Description: Logon Failure: Reason: Unknown user name or bad password User Name: anonymous Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: <my sbs server> User Name: <my sbs server> Caller Domain: <my domain> Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1216 Transited Services: - Source Network Address: - Source Port: - Advice most welcome, please. Bill Tag: security logs Tag: 93064
  - 11
    - Network Connection Constantly Sending and Recieving Hi, I have a client machine that is constantly transmitting and recieving bytes. In the past day and a half it has sent 32 billion bytes and recieved 23 billion bytes. I have run Symantec Antivirus full scan with no results. I have run the lates Microsoft Malicious Software removal tool with no results. I ran Windows Defender with no results. I did a netstat on the machine and it has an open port to all of our client machines on our LAN. For some of the machines 2 or 3 ports. I am going to run a couple of rootkit detectors as well. Can I close the ports on the one client machine manually? If so how? Thanks, Steve -- Steve Systems Administrator PSI Tag: security logs Tag: 93062
  - 12
    - Migrating from single enterprise root CA to different root CA Hi all, due to extended cooperation with other companies we now have to set up a shared PKI with our business partners. Currently, we have got a single enterprise root CA for our Active Directory (single domain) in place. It has been running for about two years now and there is quite a number of certificates issued (>1000). The challenge we are facing now is migrating from our local root CA to the shared public root CA without the current certificates becoming invalid. Public root CA (offline) is already in place. The responsible administration team will provide an intermediate CA for our company, and we would like to keep that one offline, too, and set up an issuing enterprise CA for our AD. I thougt about that some time and determined that there is no need to keep the current enterprise root CA running once all certificates have been replaced by new ones. Because of that I would like to avoid cross-certification and migrate in the following way: - Publish new public root CA and intermediate CA to AD - Set up issuing CA as enterprise subordinate - re-issue certificates when suitable I have now encountered some points which are not clear to me: - Is this a valid migration path from a technical perspective? - Is it possible to publish multiple root CAs to AD? - Will the issued certificates stay valid with the new PKI in place until they are replaced? - How can I achieve that new certificates from our customized V2 templates are issued by the new issuing CA instead of our old enterprise root CA? Thanks in advance for your help! Tag: security logs Tag: 93059
  - 13
    - DoS? First post here. I've attached a snippet from my Kiwi Syslog from a customer's server. Take a look at the times any you'll see I'm getting bombarded with SMTP -- over 40 in half a minute, but sometimes as many as fifteen a second -- from IP addresses in the 72.34.1xx.xxx range. I've Googled some of them at random and the only connection is that they are all from the same ISP in Texas. I first noticed the problem when the Exchange server crashed. I blocked the ISP entire block at the router, but obviously this volume of traffic is still affecting things. Does anyone have an idea where to start with this? Any help will be much appreciated. Thanks, Mark 05-10-2007 11:47:11 Local0.Warning 192.168.0.1 IP: Packet discarded from 63.170.10.91 port 60668 to xxx.xxx.xxx.xxx port 25 (TCP) (incorrect state) @2007-05-10-12:47:12 05-10-2007 11:47:11 Local0.Warning 192.168.0.1 IP: entry duplicated 3 times @2007-05-10-12:47:10 05-10-2007 11:47:09 Local0.Warning 192.168.0.1 IP: Packet discarded from 63.170.10.91 port 60679 to xxx.xxx.xxx.xxx port 25 (TCP) (incorrect state) @2007-05-10-12:47:10 05-10-2007 11:47:09 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.174.68 port 51646 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:10 05-10-2007 11:47:08 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.120 port 44576 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:08 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.163.226 port 44466 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.197 port 44372 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.216 port 44319 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.170 port 44183 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.162.135 port 43779 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.164.25 port 43671 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.120 port 44576 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.163.226 port 44466 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.197 port 44372 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.216 port 44319 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.170 port 44183 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.162.135 port 43779 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.164.25 port 43671 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:01 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:03 05-10-2007 11:46:57 Local0.Info 192.168.0.1 IP: Packet allowed from 130.13.100.122 port 2492 to xxx.xxx.xxx.xxx port 443 (TCP)(allow by HTTPS) @2007-05-10-12:46:59 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.70 port 42172 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.163.240 port 41907 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.108 port 50974 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.133 port 50915 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.202 port 42518 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.223 port 42407 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.178 port 42107 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 219.148.119.6 port 6000 to xxx.xxx.xxx.xxx port 7212 (TCP)(no NAT port) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.167.199 port 50697 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.162.151 port 41557 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.164.35 port 41449 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:51 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60995 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:53 05-10-2007 11:46:50 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.175.8 port 48881 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:51 05-10-2007 11:46:49 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:51 05-10-2007 11:46:49 Local0.Warning 192.168.0.1 IP: Packet discarded from 192.168.0.21 port 1805 to 62.231.74.10 port 6667 (TCP)(outbound rule) @2007-05-10-12:46:50 05-10-2007 11:46:45 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60820 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:47 05-10-2007 11:46:45 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60819 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:47 05-10-2007 11:46:44 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60779 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:45 05-10-2007 11:46:44 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:45 05-10-2007 11:46:43 Local0.Warning 192.168.0.1 IP: Packet discarded from 192.168.0.21 port 1805 to 62.231.74.10 port 6667 (TCP)(outbound rule) @2007-05-10-12:46:44 Tag: security logs Tag: 93052
  - 14
    - MSSecure.XML file will EXPIRE after October 9, 2007 On October 9, 2007, the MSSecure.XML file used by MBSA 1.2.1 will no longer be updated. After this date, no new security updates will be added to the MSSecure.XML file used by MBSA 1.2.1 and no new versions of the Enterprise Scan Tool will be released for standalone use. Customers who require a free standalone security update and VA assessment tool are strongly encouraged to upgrade to MBSA 2.0.1 or the MBSA 2.1 beta. Based on Microsoft Update technologies, MBSA 2.0.1 and MBSA 2.1 beta provide consistent results across all Microsoft update technologies (SMS, WSUS Server and Microsoft Update) and provide the most comprehensive security update detection available from Microsoft. Aside from Microsoft SMS 2.0 / 2003 and MBSA 1.2.1, non-Microsoft products, scripts or tools based on the Microsoft MSSecure.XML file are not supported and should have already moved to updated or newer technologies that do not rely on the MSSecure.XML file. For more details, please visit the MBSA home page at www.microsoft.com/mbsa. -- -- Doug Neal [MSFT] dugn@online.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. If newsgroup discussion with experts and MVPs is unable to solve a problem to your satisfaction, feel free to contact PSS for support on the Microsoft Baseline Security Analyzer (MBSA). Information is available at the following link: http://support.microsoft.com/default.aspx This e-mail address does not receive e-mail, but is used for newsgroup postings only. Tag: security logs Tag: 93051
  - 15
    - Restricting interactive login only to terminal services Hello, I want to set up my win 2003 server (with Terminal Server (TS) role) so that all users (non-admin, or speciafied exceptions) have the right to log in interactively only via TS, but not via console login. This restriction should not be domain-wide, but only on the TS/DC itself. Knowing the flexibility of Windows I am sure this can be done. I am totally comfortable with messing with something like scripting or wmi filtering if there's no "user-friendly" way of achieving this. Thank you. Tag: security logs Tag: 93042
  - 16
    - MBSA 2.1 Beta 2 Now Available A revised beta 2 version of the upcoming Microsoft Baseline Security Analyzer 2.1 scan tool has been released for immediate download. Microsoft Baseline Security Analyzer (MBSA) is a free, standalone scan tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. MBSA 2.1 Beta 2 is now available from the MBSA home page (www.microsoft.com/mbsa) and includes full support for Vista and Windows Server code-named 'Longhorn' in addition to Windows 2000, Windows XP and Windows Server 2003. MBSA 2.1 Beta 2 includes full support for Vista, WSUS 3.0 compatibility, an updated UI and revised vulnerability assessment (VA) checks for x64 platforms. All versions are available from the MBSA 2.1 landing page (http://www.microsoft.com/technet/security/tools/mbsa2_1/default.mspx) or you can download the x86 and x64 versions directly from the Microsoft Download Center at the following locations: x86 version http://www.microsoft.com/downloads/details.aspx?FamilyId=F32921AF-9DBE-4DCE-889E-ECF997EB18E9x64 version http://www.microsoft.com/downloads/details.aspx?FamilyId=0F90BCDB-9A6F-49D9-9FDC-4BC70BB31BF2Please feel free to post questions, bug reports or suggestions to the MBSApublic newsgroup at Microsoft.public.security.baseline_analyzer----Doug Neal [MSFT]dugn@online.microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.If newsgroup discussion with experts and MVPs is unable to solve a problemto your satisfaction, feel free to contact PSS for support on the MicrosoftBaseline Security Analyzer (MBSA). Information is available at the followinglink:http://support.microsoft.com/default.aspxThis e-mail address does not receive e-mail, but is used for newsgrouppostings only. Tag: security logs Tag: 93035
  - 17
    - NAC? How/where do I get NAC? I want to set it up in my lab and learn it a bit before i deploy to my clients. Tag: security logs Tag: 93031
  - 18
    - cpv.feed.com Ugghhh! Okay, I have tried all the spyware, anti-virus, etc. that I have access to, but we keep getting a pop up for cpv.feed.com. Has anyone else ever dealt with this? Know what it is? How to get rid of it? I have my pop-up blocker on and I am not completely computer illiterate, but I just can't seem to get this dumb thing to stop. I have run avg, spybot, microsoft malicious software removal tool. Can anyone help? Thanks, Diane Tag: security logs Tag: 93029
  - 19
    - Running .exe Hello all, I am having an issue running .exe on my 2003 server. They will run under the administrator all the time and one other profile but no more. It gives me : Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item. I 'm logging on with domain administrator accounts and they all have full control of the folder and everything in them. I have three servers that will let one admin run it and not the other and vice-versa on the others. Has anyone seen this. I thought it was sp.2 issue, then a sp.1, but it does not seem to be. If anyone has any clue I would greatly appreciate any help. Thanks, David Tag: security logs Tag: 93028
  - 20
    - Is complete access in a win 2003 domain a possibility? I am an IT administrator of a very small company and was wondering if it was possible to create a security group to add my username to that has access to anything and everything. Just being a member of the administrators group still seems to have denies for certain permissions. And if I create a security group and set grants for everything in adsiedit it then allows for some permissions that the administrators group is denied but then denies other permissions. Being 1 of the 2 people that administrate this company I figured it would be easier for us to have access to everything rather than delegating specific permissions to each person. Tag: security logs Tag: 93027
  - 21
    - How encryption keys should be distributed? Several software applications needs to encrypt and decrypt data, requiring either a single key in symmetrical encryption algorithms or public/private keys in asymmetrical algorithms, but how these keys should be distributed? Embed the key(s) within the application executable is a very vulnerable approach, since an attacker may trace API calls, or run the application under a debugger and simply halt the program when the keys has been reconstructed. And what about the risk to distribute the key in every exeucutable copy embedded within, if some attacker gets this key it can make it public, and every user of this application may use it to break its own installation. Can anyone give me any suggestion? Or point me in the correct direction to avoid these problems? Tag: security logs Tag: 93025
  - 22
    - What SIDS need permisions to start my service? Here is the short version. I have an application which has a service component. It is a requirement that the service component be running only when the application is running, so AutoStart is not an option. I want to grant the following permissions on my service READ_CONTROL | SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_START | SERVICE_STOP | SERVICE_PAUSE_CONTINUE | SERVICE_INTERROGATE to all users on the local machine. Currently I am granting this access to Everyone, Users, and Guest. This approach definitely gives permisions to the accounts i need.. but is this a securty risk (I am only concerned about security risks involving remote attacks, not ones that originate from the local machine). Should i be granting access to just "Guest and Users" or maybe "Guests and Authenticated Users"? Also note, the machines may or may not be on a domain.. the target os is 2k,xp,vista(32/64). This may be deployed on a large number of laptops (and i mean laaarrrggge). Can anyone shed some light on this issue? Tag: security logs Tag: 93020
  - 23
    - BUILTIN\\Administrators question Our security s/w is flagging the below error... Does anyone know what the "QVSENDC" is indicating? --------------------------------------------------------------------------------------------- Account: BUILTIN\\Administrators; permissions: PC; expected: QVSENDC; comment: none Tag: security logs Tag: 93019
  - 24
    - microbillsys / MBS Account Manager I write with reference to the above & your recent correspondence with alister28.I have managered to stop the pop ups but due to my previous correspondence via e mail they say i have an outstanding bill to pay which is causing grave concern. I think i may be being scammed & wondered if there was anything else i could do. Am i legally bound to pay. Tag: security logs Tag: 93016
  - 25
    - Microsoft Takes on Google and Yahoo with Microsoft Adcenter and Adlabs Learn how can gain up to 20% ROI http://blog.yourseoconsulting.com/labels/case-studies.html by switching to Microsoft Adcenter and take advantage of their keyword forcasting tools and professional attitude to online advertising. Tag: security logs Tag: 93010

I need logs for simulation purpose to detect the attacks. Where can I
find web repositories for logs.

Thanks,
kanthi.

Re: security logs by Michal

Michal
Thu May 24 09:57:41 CDT 2007

>I need logs for simulation purpose to detect the attacks. Where can I
> find web repositories for logs.

You have to provide more information as I am not sure what you mean
by saying 'logs'. Actually, I think that you are talking of NIDS/HIPS
(IDS/IPS). Try out Snort ;-)

--
Michal Bucko (sapheal)
sapheal.hack.pl

Top