RE: Green Admin - Brute Force Attack - Pls Help

From: Manticor (Manticor_at_discussions.microsoft.com)
Date: 04/23/05


Date: Sat, 23 Apr 2005 06:17:19 -0700

I Think that the easiest way to stop the Brute Force is to separate the LAB
from the network using ISA Server like firewall.
And enable brute force detection after 4 attempts,
So that you can find out the computer that make the attack and clean it,
also you prevent the account lockout.

Regards,
Manticor

"Gabriel Iovino" wrote:

> Underfire
>
> You might want to consider upping your lockout thresholds or abandoning them
> all together due to your strong password policy.
>
> Here is a good article about account lockouts:
>
> Implementing and Troubleshooting Account Lockout
> http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
>
>
>
> "Underfire Tech" wrote:
>
> > I am a pretty good desktop tech who has been thrust into server admin. I have
> > 2 domain controllers, one 2003, one NT and support the finance departments of
> > a small University.
> >
> > I have enabled strong passwords on the 2003 server and have setup lockouts
> > on both after 5 incorrect attempts for 5 minutes.
> >
> > Multiple machines on campus, not under my control, have been infected or
> > otherwise compromised and are walking through my userbase attempting logins
> > and locking out the accounts on both machines.
> >
> > I recently disabled anonymous SAM listing apparently to no avail.
> >
> > I am asking for any insight, help, suggestions, or anything I can do other
> > than simply letting these attemps go rampant and disabling lockout.
> >
> > Even though we use DHCP (with quite long leases) I am considering blocking
> > all TCP except from each of my users (approx 70) as this situation as it
> > stands is unacceptable and adding an IP every week or so is much better than
> > the ordeal I endured all day today.
> >
> > Thank you for your help.
> > Underfire Tech