Re: Green Admin - Brute Force Attack - Pls Help

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/23/05


Date: Sat, 23 Apr 2005 01:52:27 -0500

If possible see if you can identify who is responsible for the maintenance
of the problem computers so that they can be looked at or otherwise
repaired. You can print out your security logs with the failed logon
attempts as backup for your case. Unfortunate that you are limited in what
you can do since you also have a NT4.0 domain controller. Beyond trying to
assist in identifying the problem computers to those that can repair them
your best bet is to try and filter out their IP addresses from your
computers either at a firewall, router, or using ipsec policy or filtering
their mac addresses if you have access to a managed switch that can do such
for your network.

 Only Windows 2000/2003/XP Pro computers are ipsec capable. Ipsec is a
somewhat advanced topic particularly when it is used to encrypt network
traffic and require computer authentication for access to another ipsec
enabled computer but it is fairly easy to configure an ipsec policy that
uses rules with permit and block filter actions to restrict traffic to act
as a basic packet filtering firewall. Ipsec also has a tremendous advantage
in that it can be managed via Group Policy for consistent and easy
application to a group of computers. If you decide to try and use ipsec
"negotiation" policy that would use ESP/AH be sure to test out thoroughly
ahead of time and understand that domain controllers must be exempt from
ipsec ESP/AH traffic from domain members since domain controllers are used
for kerberos authentication.

http://www.securityfocus.com/infocus/1559 --- ipsec filtering info.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949

"Underfire Tech" <Underfire Tech@discussions.microsoft.com> wrote in message
news:4E2642D6-7048-445B-8EFA-B0ECCE6A3EB4@microsoft.com...
>I am a pretty good desktop tech who has been thrust into server admin. I
>have
> 2 domain controllers, one 2003, one NT and support the finance departments
> of
> a small University.
>
> I have enabled strong passwords on the 2003 server and have setup lockouts
> on both after 5 incorrect attempts for 5 minutes.
>
> Multiple machines on campus, not under my control, have been infected or
> otherwise compromised and are walking through my userbase attempting
> logins
> and locking out the accounts on both machines.
>
> I recently disabled anonymous SAM listing apparently to no avail.
>
> I am asking for any insight, help, suggestions, or anything I can do other
> than simply letting these attemps go rampant and disabling lockout.
>
> Even though we use DHCP (with quite long leases) I am considering blocking
> all TCP except from each of my users (approx 70) as this situation as it
> stands is unacceptable and adding an IP every week or so is much better
> than
> the ordeal I endured all day today.
>
> Thank you for your help.
> Underfire Tech



Relevant Pages

  • Re: Isolate systems
    ... some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering, ... firewall yourself from outside the network, even if you use a self scan site ... If legitimate users are trying to attack your computers you may have to see ...
    (microsoft.public.win2000.security)
  • Re: 2000 Server access
    ... Policy of the server to include only the users of the non XP Computers. ... You could also use ipsec to control access to the server if all the other computers ... Windows 2000 computers as client/respond policy. ... administrator to configure ipsec policy in Local Security Policy for a computer. ...
    (microsoft.public.win2000.security)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... You could use an ipsec policy, ... put the computers you want to restrict access to only domain computers into ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.networking)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... You could use an ipsec policy, ... put the computers you want to restrict access to only domain computers into ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.security)
  • Re: Isolate systems
    ... If you have access to the firewall, you might be able to configure what IP ... filtering policy on your computers which is a policy that uses rules with ... Ipsec policies are best when trying to configure for a subnet ... network layout you may be able to implement ...
    (microsoft.public.win2000.security)