locked
Services exposing account credentials alert RRS feed

  • Question

  • I'm getting a Services exposing account credentials alert and was wondering how I could associate the account to the service?

    Thx

    Tuesday, June 20, 2017 8:01 PM

Answers

  • Hello Jeff,

    ATA can detect the source computer with the IP address or FQDN, but it can't tell you the specific service.

    You have to investigate it by yourself. In my opinion, you can install Network Monitor on the source computer. 

    By using Network Monitor, you can capture the traffic destined to the destination computer, and the associated the process.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by JeffRW Thursday, June 22, 2017 4:54 PM
    Thursday, June 22, 2017 2:01 AM

All replies

  • Hello,

    If a service on a computer is sending multiple account credentials in plain text, ATA generates an alert for services exposing account credentials in plain text authentication.

    It's recommended to update the service configuration to avoid sending account credentials in plain text authentication.


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 21, 2017 9:36 AM
  • Andy,

    How do I determine what service is sending account credentials in plain text for authentication?

    Thx


    Wednesday, June 21, 2017 1:12 PM
  • Hello Jeff,

    ATA can detect the source computer with the IP address or FQDN, but it can't tell you the specific service.

    You have to investigate it by yourself. In my opinion, you can install Network Monitor on the source computer. 

    By using Network Monitor, you can capture the traffic destined to the destination computer, and the associated the process.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by JeffRW Thursday, June 22, 2017 4:54 PM
    Thursday, June 22, 2017 2:01 AM
  • Thx Andy
    Thursday, June 22, 2017 4:54 PM
  • You are welcome!

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 23, 2017 1:35 AM