View Full Version : Downgrade Attack messages
Bill Bethea
June 2nd 04, 08:06 PM
I'm on a Windows XP Professional work station. Last
several weeks, my user account keeps getting locked out
of the network (A Win2K Server running active directory.)
I can't find any applicaitons which might be trying to
login with older account information.
The event log for System events reads:
The Security System detected an attempted downgrade
attack for server cifs/Stage.eiglobal.net. The failure
code from authentication protocol Kerberos was "The user
account has been automatically locked because too many
invalid logon attempts or password change attempts have
been requested.
(0xc0000234)".
How do I resolve this issue?
pauly [MSFT]
June 2nd 04, 11:24 PM
Hi Bill.
It looks like there is may be a hacker or malware attempting to compromize
this machine in your domain based on what looks like repeated failed
logon/password guessing attempts.
Recommendations:
1. Review all local and domain Administrator and User accounts - confirm
they are valid.
2. Review all Groups and Shares. Confirm all are valid.
3. Review all 3rd party Services on your machine for validity.
4. Keep all client and server machines on your network current with
Security and Critical updates using Windows Update, SUS or SMS.
WINDOWS UPDATE:
http://windowsupdate.microsoft.com
SUS WHITEPAPER:
810796 White Paper: Software Update Services Overview White Paper
http://support.microsoft.com/?id=810796
SUS HOME PAGE
http://www.microsoft.com/sus
5. Routinely scan your network clients to ensure they are up to date with
security updates using MBSA
320454 Microsoft Baseline Security Analyzer (MBSA)
http://support.microsoft.com/?id=320454
6. Enable and maintain a strong password policy in your Domain.
225230 Enabling Strong Password Functionality in Windows 2000
http://support.microsoft.com/?id=225230
7. Use Auditing for monitoring unauthorized user access
300958 HOW TO: Monitor for Unauthorized User Access in Windows 2000
http://support.microsoft.com/?id=300958
8. Maintain and use Anti-virus scanning using one or more commercial
anti-virus programs. In addition to the AV you have installed, you should
occasionally run a virus scan using one of the available online AV scanners
as a reality check:
Trend Micro House Call:
http://housecall.trendmicro.com
Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
McAfee FreeScan:
http://us.mcafee.com/root/mfs/default.asp
Kaspersky Labs On-line Virus Checker:
http://www.kaspersky.com/remoteviruschk.html
BitDefender Online Scan:
http://www.bitdefender.com/scan/licence.php
Downloadable McAfee AVERT Stinger:
http://vil.nai.com/vil/stinger/
9. Install/Maintain your Firewall:
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
http://firewalls.surferbeware.com/firewalls-basics.htm
http://www.techonline.com/community/related_content/14208
MORE SECURITY GUIDANCE:
308691 Virus Protection and Security Patch Information for Windows
http://support.microsoft.com/?id=308691
The Microsoft Technet Security Resource Center for IT Professionals:
http://www.microsoft.com/technet/security/default.mspx
Microsoft Security Guidance Center for Developers and IT Pros:
http://www.microsoft.com/security/guidance/default.mspx
Microsoft Windows 2000 Security Resource Center:
http://www.microsoft.com/technet/security/prodtech/win2000/default.mspx
Microsoft Windows Server 2003 Security Resource Center:
http://www.microsoft.com/technet/security/prodtech/win2003/default.mspx
Microsoft Solution for Securing Windows 2000 Server:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/win2000/secwin2k/default.asp
=========
This posting is provided "AS IS" with no warranties, and confers no rights.
Windows XP Security Homepage:
http://www.microsoft.com/windowsxp/security/default.asp
Windows 2000 Security Homepage:
http://www.microsoft.com/windows2000/security/default.asp
Top 10 Windows Newsgroups Security Questions:
http://www.microsoft.com/technet/newsgroups/default.asp?url=/technet/newsgro
ups/nodepages/sectop10.asp
=========
Paul Hayes, MCSE
Product Support Services
Microsoft Corporation
--------------------
| From: "Bill Bethea" >
| Subject: Downgrade Attack messages
| Date: Wed, 2 Jun 2004 10:56:47 -0700
|
| I'm on a Windows XP Professional work station. Last
| several weeks, my user account keeps getting locked out
| of the network (A Win2K Server running active directory.)
| I can't find any applicaitons which might be trying to
| login with older account information.
|
| The event log for System events reads:
|
| The Security System detected an attempted downgrade
| attack for server cifs/Stage.eiglobal.net. The failure
| code from authentication protocol Kerberos was "The user
| account has been automatically locked because too many
| invalid logon attempts or password change attempts have
| been requested.
| (0xc0000234)".
|
| How do I resolve this issue?
|
|
|
vBulletin® v3.6.4, Copyright ©2000-2024, Jelsoft Enterprises Ltd.