server 2000 i think some one is connecting...help..please thanks.

Hi, every one, thanks for any help in advance, I have windows 2000 server,
with a Juniper hardware firewall, for some reason on the last 2 weeks very
strange thing has been happening, some user passwords has been changed, some
new user has been created, I would like to know what kind of software I can
use to protect and monitor my server for this kind of attacks.

Thanks for any help here.

R.M>

Phillip
Tue May 16 11:36:13 CDT 2006

"server 2000 Group policy for windows xp"
<server2000Grouppolicyforwindowsxp@discussions.microsoft.com> wrote in
> new user has been created, I would like to know what kind of software I
can
> use to protect and monitor my server for this kind of attacks.

Software isn't your solution,...proper management is. If someone has Domain
Admin access then they can create User accounts,...if they don't, then they
can't. Don't have people knowing the Admin credentials who aren't supposed
to know it. If you think someone knows it,...then change the password.

Users with more privledges than they are supposed to have, and then using
the normal tools to do normal things,... is not an "attack",...it is
improper management.

The Windows Server OS already has the ability to Audit resources. It is a
big subject,..no way I can explain something like that in an email. You will
have to research that yourself.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Steven
Tue May 16 13:13:43 CDT 2006

Well there can be a lot going on. The first thing I would do is to enable
auditing of account management via Local Security Policy on the server or
domain controller if domain user accounts are involved and then you can view
the security logs via Event viewer to see what user is doing this and from
what computer assuming he is not clearing the security logs or disabling
auditing.. You don't tell us much about your configuration such as if it is
a stand alone server, a domain member, or if there are other computers on
the network or not.

The solution would not be installing software but taking steps to harden
your server. There are free tools from SysInternals that can help you find
unauthorized processes running on the computer such as TCPView, Autoruns,
and Process Explorer and of course malware scans should be done being sure
to use the latest definitions for any program used to scan for such. However
your description indicates that someone else now owns your computer and the
only real way to make sure it is secure is to backup data [including EFS
user private key to a .pfx file if EFS is used] and to do a pristine install
of the operating system to a formatted system drive being sure to use a
different administrator password that you never have used before. If you are
considering such be sure to educate yourself on how to minimize future
chances of compromise and if you have any questions on that many here could
help. The links below are a good start. --- Steve

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer and link to SysInternals
http://www.microsoft.com/technet/security/prodtech/windows2000.mspx ---
TechNet security on Windows 2000
http://www.microsoft.com/technet/security/tools/mbsahome.mspx ---
Microsoft Baseline Security Analyzer


"server 2000 Group policy for windows xp"
<server2000Grouppolicyforwindowsxp@discussions.microsoft.com> wrote in
message news:2450C19F-79AB-4134-BC4D-7666A7D2ADFC@microsoft.com...
> Hi, every one, thanks for any help in advance, I have windows 2000 server,
> with a Juniper hardware firewall, for some reason on the last 2 weeks very
> strange thing has been happening, some user passwords has been changed,
> some
> new user has been created, I would like to know what kind of software I
> can
> use to protect and monitor my server for this kind of attacks.
>
> Thanks for any help here.
>
> R.M>
>