Re: Green Admin - Brute Force Attack - Pls Help
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Sat, 23 Apr 2005 01:52:27 -0500
If possible see if you can identify who is responsible for the maintenance
of the problem computers so that they can be looked at or otherwise
repaired. You can print out your security logs with the failed logon
attempts as backup for your case. Unfortunate that you are limited in what
you can do since you also have a NT4.0 domain controller. Beyond trying to
assist in identifying the problem computers to those that can repair them
your best bet is to try and filter out their IP addresses from your
computers either at a firewall, router, or using ipsec policy or filtering
their mac addresses if you have access to a managed switch that can do such
for your network.
Only Windows 2000/2003/XP Pro computers are ipsec capable. Ipsec is a
somewhat advanced topic particularly when it is used to encrypt network
traffic and require computer authentication for access to another ipsec
enabled computer but it is fairly easy to configure an ipsec policy that
uses rules with permit and block filter actions to restrict traffic to act
as a basic packet filtering firewall. Ipsec also has a tremendous advantage
in that it can be managed via Group Policy for consistent and easy
application to a group of computers. If you decide to try and use ipsec
"negotiation" policy that would use ESP/AH be sure to test out thoroughly
ahead of time and understand that domain controllers must be exempt from
ipsec ESP/AH traffic from domain members since domain controllers are used
for kerberos authentication.
http://www.securityfocus.com/infocus/1559 --- ipsec filtering info.
"Underfire Tech" <Underfire Tech@discussions.microsoft.com> wrote in message
>I am a pretty good desktop tech who has been thrust into server admin. I
> 2 domain controllers, one 2003, one NT and support the finance departments
> a small University.
> I have enabled strong passwords on the 2003 server and have setup lockouts
> on both after 5 incorrect attempts for 5 minutes.
> Multiple machines on campus, not under my control, have been infected or
> otherwise compromised and are walking through my userbase attempting
> and locking out the accounts on both machines.
> I recently disabled anonymous SAM listing apparently to no avail.
> I am asking for any insight, help, suggestions, or anything I can do other
> than simply letting these attemps go rampant and disabling lockout.
> Even though we use DHCP (with quite long leases) I am considering blocking
> all TCP except from each of my users (approx 70) as this situation as it
> stands is unacceptable and adding an IP every week or so is much better
> the ordeal I endured all day today.
> Thank you for your help.
> Underfire Tech