Re: Green Admin - Brute Force Attack - Pls Help

From: Underfire Tech (Tech_at_discussions.microsoft.com)
Date: 04/23/05


Date: Sat, 23 Apr 2005 10:48:01 -0700

Thank you for your response, and all below.. they are **greatly** appreciated.

After some research I have come to basically the same IPSec solution as you
have listed below. I have more "intense OJT" to hit beofre I proceed.. but
this seems the most viable solution at the moment as I have no control or
authority over the other computers, networking, etc, of the offending
machines. Also, migration fromthe NT server to a 2003 has been put on the top
of the immediate todo list.

A couple more questions about this situation...

Is there no way besides disabling anonymous SAM listing to deny people
outside the domain from listing the users in the first place and giving them
1/2 of the authentication?

Also, from a network/performance standpoint, wouldnt disabling lockouts
create a potential for them to hammer the server with logins and eat up
processor and networking resources?

I found this link below
http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm

Which shows some good walk-throughs to get to the IPSec settings and have
tried them out on my home XP Pro machine... Im assuming they are relatively
the same with the 2k3 server and will allow me to implement them on local
server simularly.

Ive decided to try watching the logs and banning the offending IP's first
instead of doing an "allow only" for all my users and see how that goes.

Thank you all very much for your input, it has been extremely helpful in
this stressful time.

Underfire

"Steven L Umbach" wrote:

> If possible see if you can identify who is responsible for the maintenance
> of the problem computers so that they can be looked at or otherwise
> repaired. You can print out your security logs with the failed logon
> attempts as backup for your case. Unfortunate that you are limited in what
> you can do since you also have a NT4.0 domain controller. Beyond trying to
> assist in identifying the problem computers to those that can repair them
> your best bet is to try and filter out their IP addresses from your
> computers either at a firewall, router, or using ipsec policy or filtering
> their mac addresses if you have access to a managed switch that can do such
> for your network.
>
> Only Windows 2000/2003/XP Pro computers are ipsec capable. Ipsec is a
> somewhat advanced topic particularly when it is used to encrypt network
> traffic and require computer authentication for access to another ipsec
> enabled computer but it is fairly easy to configure an ipsec policy that
> uses rules with permit and block filter actions to restrict traffic to act
> as a basic packet filtering firewall. Ipsec also has a tremendous advantage
> in that it can be managed via Group Policy for consistent and easy
> application to a group of computers. If you decide to try and use ipsec
> "negotiation" policy that would use ESP/AH be sure to test out thoroughly
> ahead of time and understand that domain controllers must be exempt from
> ipsec ESP/AH traffic from domain members since domain controllers are used
> for kerberos authentication.
>
> http://www.securityfocus.com/infocus/1559 --- ipsec filtering info.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
>
> "Underfire Tech" <Underfire Tech@discussions.microsoft.com> wrote in message
> news:4E2642D6-7048-445B-8EFA-B0ECCE6A3EB4@microsoft.com...
> >I am a pretty good desktop tech who has been thrust into server admin. I
> >have
> > 2 domain controllers, one 2003, one NT and support the finance departments
> > of
> > a small University.
> >
> > I have enabled strong passwords on the 2003 server and have setup lockouts
> > on both after 5 incorrect attempts for 5 minutes.
> >
> > Multiple machines on campus, not under my control, have been infected or
> > otherwise compromised and are walking through my userbase attempting
> > logins
> > and locking out the accounts on both machines.
> >
> > I recently disabled anonymous SAM listing apparently to no avail.
> >
> > I am asking for any insight, help, suggestions, or anything I can do other
> > than simply letting these attemps go rampant and disabling lockout.
> >
> > Even though we use DHCP (with quite long leases) I am considering blocking
> > all TCP except from each of my users (approx 70) as this situation as it
> > stands is unacceptable and adding an IP every week or so is much better
> > than
> > the ordeal I endured all day today.
> >
> > Thank you for your help.
> > Underfire Tech
>
>
>