From: Chris Robinson 

Yeh, I'll add some of these things I think - thanks.  Surely though, a virus that
propogated via network shares would go to a PC even if the Guest account
was dissabled.  If the PC that sends it the virus is logged onto our
network then that PC has full access to this share - so it would write to
it... wouldn't it?

Chris.

John Beckett wrote:

> Chris Robinson  wrote in message
> news::
> >  I just wanted to set something up with an open share so I know if anything
> > like this happens again.
>
> Yes, but on NT4, if you don't enable Guest with a blank password, then if
> there is a network-share-probing virus, your honeypot will probably NOT
> detect it. These kinds of viruses are pretty primitive so far. They are
> looking for shares that can be written by an anonymous (Guest) user, or by
> Administrator with one of a limited number of guessed passwords (e.g.
> "admin" or "password").
>
> Probably a more scientific approach would be to run Snort (which detects
> any suspicious network activity), or enable auditing on your NT machine.
> Log failed logon attempts and failed write attempts to the shared folder.
>
> Attempts to access the share with an unknown user or incorrect password
> would appear in the Security log of Event Viewer.
>
> John

--- BBBS/NT v4.01 Flag-4