RE: Green Admin - Brute Force Attack - Pls Help
From: Manticor (Manticor_at_discussions.microsoft.com)
Date: Sat, 23 Apr 2005 06:17:19 -0700
I Think that the easiest way to stop the Brute Force is to separate the LAB
from the network using ISA Server like firewall.
And enable brute force detection after 4 attempts,
So that you can find out the computer that make the attack and clean it,
also you prevent the account lockout.
"Gabriel Iovino" wrote:
> You might want to consider upping your lockout thresholds or abandoning them
> all together due to your strong password policy.
> Here is a good article about account lockouts:
> Implementing and Troubleshooting Account Lockout
> "Underfire Tech" wrote:
> > I am a pretty good desktop tech who has been thrust into server admin. I have
> > 2 domain controllers, one 2003, one NT and support the finance departments of
> > a small University.
> > I have enabled strong passwords on the 2003 server and have setup lockouts
> > on both after 5 incorrect attempts for 5 minutes.
> > Multiple machines on campus, not under my control, have been infected or
> > otherwise compromised and are walking through my userbase attempting logins
> > and locking out the accounts on both machines.
> > I recently disabled anonymous SAM listing apparently to no avail.
> > I am asking for any insight, help, suggestions, or anything I can do other
> > than simply letting these attemps go rampant and disabling lockout.
> > Even though we use DHCP (with quite long leases) I am considering blocking
> > all TCP except from each of my users (approx 70) as this situation as it
> > stands is unacceptable and adding an IP every week or so is much better than
> > the ordeal I endured all day today.
> > Thank you for your help.
> > Underfire Tech