[Dshield] Windoze Questions...SAMBA + Windows AD Question

Laurie Kennedy cblmaint at cblptyltd.com.au
Wed Feb 18 23:09:07 GMT 2004


----- Original Message ----- 
From: "Al Reust" <areust at comcast.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, February 17, 2004 2:49 PM
Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question


> Laurie
>
> If you use remote administration, it is Good thing that Snort tells you
> someone hooked into IPC$. It should be (the remote IP) within your IP
range
> (DHCP or known remote IP's), if it outside your IP range then you have a
> compromised system and the IP where it came from. Depending on your actual
> setup you could be seeing something that is quite normal (internal
> application touching the server).

Al,

I do NOT use remote administration and there is no external access allowed
through the company hardware firewall. All machines are patched and have the
latest AV updates every day, some with multiple AV's. There are many layers
of protection in the network I maintain including S/w firewalls on all
boxes. The Samba Server is locked up tight and no other servers are enabled.

> However to remove those pesky administrative/hidden shares, Microsoft
> explains how to create Hidden or Remove them (yes some registry editing is
> required and once you have accomplished that you can replicate it)

I never liked those shares and I have been working with software from
Motorolla Assembler at Uni (B.Sc.(comp) 1993), to MS software from (DOS
(Disk Operating System)) Basica, Quick Basic, Visual Basic Dos V1, MS-FP
from FP2.6 to MS VFP Win 7.0 among others. I originally started working in
databases with Kman (MDBS) then switched to other Xbase variants. I actually
prefer CA's dBfast (on 95, 98a&b, 20000 and XP) because it has a basic rule
set that doesn't change over time (since '95), not to mention speed and a
very transparent code based event loop.

I worked for Civil Engineering Consulting Engineers, prior to switching to
comms in the field for Telecom Australia working on complex exchange
cutovers (when the power went out our phones kept working), then I switched
to software development and worked for the District Telecom
Engineers/Engineering Managers on various Design office projects and finally
the Queensland Networks manager. Our engineering section introduced the
first cable TV network in Australia. I have been working on network security
for the last couple of years.

The only 'unauthorised' access to our network has been via our government
and MS 'patches' as explained in my previous DSIELD post 'Unauthorised
program access', while all of the multiple layers of (up to date) protection
have said nothing is wrong. Lets face reality, the 'integration' of many MS
products from Win2000/XP on has opened up a pandora's box for all kinds of
hackers (I don't hack). The KIS rule has been broken and everybody faces the
consequences.

> So now that you have gotten that out of your system. Are there questions
> that we can help with.
>

So now that you have gotten that out of your system. Are there any questions
 that I can help you with.

Regards,

Laurence N. Kennedy
Competency Based Learning

p.s. Al and list, please note that this is not a 'flame', there are some
very serious problems with things and unless the current 'sophist-icated'
attitudes change, things will only get worse.




More information about the list mailing list