RE: Virus is getting domain account listing
From: Samuel Petreski (petreski_at_ksu.edu)
Date: 05/10/04
- Previous message: Levinson, Karl: "RE: Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: David Carlin: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'David Carlin'" <djc6@cwru.edu>, <focus-ms@securityfocus.com> Date: Mon, 10 May 2004 09:26:07 -0500
I would enable audit logging events in the Domain Security Policy and see
which machines try to password guess your accounts and when. You will have
to go through some logs, but it will be worth since you will see exactly who
is logging and when, and how many failed logins per attempt.
Samuel Petreski CCNA, MCSA
petreski@ksu.edu
-----Original Message-----
From: David Carlin [mailto:djc6@cwru.edu]
Sent: Monday, May 10, 2004 8:11 AM
To: focus-ms@securityfocus.com
Subject: Virus is getting domain account listing
Hello,
I work on a college campus and have been plagued for months by
something that is going through all of the accounts in my domains and
locking the accounts out by failed password attempts. I have two PDCs
for two different domains, running NT 4.0 and clients running XP
scattered around campus in various subnets. I have setup an ACL on my
cisco switch to block traffic to the PDCs except from these subnets,
but it doesn't help because there are machines in those subnets
administered by other people that continue to get "infected".
My question is, how do I stop whatever this is from getting my account
listing in the first place? I have run Microsoft baseline analyzer, it
says I'm all good.. The free Nessus scanner doesn't report any
problems. I have all patches, RestrictAnonymous=1 is in the registry.
I've renamed my admin account, this thing always picks up on it. It
knows which accounts are domain admins and attacks them more
aggressively. I've contacted the owners of the various machines
attacking, they never find any strange software, virus scanners always
come up empty - even when done remotely over the administrative shares.
Any ideas how to protect my user list?
-David
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Levinson, Karl: "RE: Virus is getting domain account listing"
- In reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: David Carlin: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
