RE: Green Admin - Brute Force Attack - Pls Help

From: Gabriel Iovino (Iovino_at_discussions.microsoft.com)
Date: 04/23/05

  • Next message: Steven L Umbach: "Re: why got \??\ in the path ?"
    Date: Sat, 23 Apr 2005 00:03:02 -0700
    
    

    Underfire

    You might want to consider upping your lockout thresholds or abandoning them
    all together due to your strong password policy.

    Here is a good article about account lockouts:

    Implementing and Troubleshooting Account Lockout
    http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

    "Underfire Tech" wrote:

    > I am a pretty good desktop tech who has been thrust into server admin. I have
    > 2 domain controllers, one 2003, one NT and support the finance departments of
    > a small University.
    >
    > I have enabled strong passwords on the 2003 server and have setup lockouts
    > on both after 5 incorrect attempts for 5 minutes.
    >
    > Multiple machines on campus, not under my control, have been infected or
    > otherwise compromised and are walking through my userbase attempting logins
    > and locking out the accounts on both machines.
    >
    > I recently disabled anonymous SAM listing apparently to no avail.
    >
    > I am asking for any insight, help, suggestions, or anything I can do other
    > than simply letting these attemps go rampant and disabling lockout.
    >
    > Even though we use DHCP (with quite long leases) I am considering blocking
    > all TCP except from each of my users (approx 70) as this situation as it
    > stands is unacceptable and adding an IP every week or so is much better than
    > the ordeal I endured all day today.
    >
    > Thank you for your help.
    > Underfire Tech


  • Next message: Steven L Umbach: "Re: why got \??\ in the path ?"

    Relevant Pages

    • Re: Username Vulnerability???
      ... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
      (microsoft.public.windows.server.general)
    • Re: OU group policy and how to use ldapsearch to find GPO settings
      ... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
      (microsoft.public.windows.group_policy)
    • Re: Replication of password resets/unlocks
      ... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
      (microsoft.public.windows.server.active_directory)
    • Re: 2003 Server Client/Delegation and Data Issues
      ... "reveal" the read and write lockout time permissions. ... I have an account that I ... default - no mention of domain users. ...
      (microsoft.public.windows.server.active_directory)
    • Re: lockaccount flag in userAccountControl does not change
      ... Neither has explicit support for dealing with lockout though. ... The IADsUser interface in ADSI attempts to support it, ... checks to see if lockoutTime has a value or not and assumes the account is ... For more information on unlock, ...
      (microsoft.public.windows.server.active_directory)