Re: Green Admin - Brute Force Attack - Pls Help

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/23/05 

Date: Sat, 23 Apr 2005 14:03:02 -0500

You are in a more difficult situation than most in that you can not trust
what should be part of the trusted network which makes it harder to "hide"
things like users/groups/shares. Those computers that are already attacking
have a list of your user accounts and you probably can not do much about
that until they are fixed, Of course you can try to block their access.
Disabling sam will help to prevent new attacks to those accounts. I don't
know if you can effectively disable anonymous enumeration of sam on a NT4.0
server anyhow. There are tools such as Superscan 4.0 or dumpsec [something
you fill find useful and is free] that can bypass some methods of trying to
block anonymous access.

http://www.somarsoft.com/somarsoft_main.htm --- dumpsec.

Account lockouts are a dual edge sword. I don't think it will cause
network/server performance to decrease if you disable it and as long as your
users are using complex passwords the chance of then being guessed is slim.
If you keep in enabled, then legitimate users may have there accounts locked
out and denied access to the domain. In my opinion for your particular
situation I would leave it enabled as you have it configured as long as
legitimate users are not being denied access.

>From what you describe in that you are limited in what you can do I would
think ipsec would be your best bet. Ipsec configuration is very similar [if
not the same] for XP Pro and Windows 2003. The Windows 2003 Deployment kit
has a great chapter on ipsec though most of it is geared for using ESP/AH
for encryption of data and the user of computer authentication for a SA
[security association]. The Windows 2003 Security Guide also goes into some
specifics on how to use ipsec "filtering" policy to protect computers. In
addition to using Group Policy to manage ipsec you can also export a policy
you create and then import it into other computers. The last link is to the
free Anti Virus in Depth Guide which I consider a must read for anyone that
is managing a network - particularly one in a hostile environment. --- Steve

http://www.microsoft.com/downloads/details.aspx?familyid=D91065EE-E618-4810-A036-DE633F79872E&displaylang=en
-- chapter six is on deploying ipsec.
http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en
--- Windows 2003 Server Security Guide.
http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
 --- Antivirus in Depth Security Guide

"Underfire Tech" <Underfire Tech@discussions.microsoft.com> wrote in message
news:9DAD3674-1E4F-4217-8481-D587E819A5A3@microsoft.com...
> Thank you for your response, and all below.. they are **greatly**
> appreciated.
>
> After some research I have come to basically the same IPSec solution as
> you
> have listed below. I have more "intense OJT" to hit beofre I proceed.. but
> this seems the most viable solution at the moment as I have no control or
> authority over the other computers, networking, etc, of the offending
> machines. Also, migration fromthe NT server to a 2003 has been put on the
> top
> of the immediate todo list.
>
> A couple more questions about this situation...
>
> Is there no way besides disabling anonymous SAM listing to deny people
> outside the domain from listing the users in the first place and giving
> them
> 1/2 of the authentication?
>
> Also, from a network/performance standpoint, wouldnt disabling lockouts
> create a potential for them to hammer the server with logins and eat up
> processor and networking resources?
>
> I found this link below
> http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm
>
> Which shows some good walk-throughs to get to the IPSec settings and have
> tried them out on my home XP Pro machine... Im assuming they are
> relatively
> the same with the 2k3 server and will allow me to implement them on local
> server simularly.
>
> Ive decided to try watching the logs and banning the offending IP's first
> instead of doing an "allow only" for all my users and see how that goes.
>
> Thank you all very much for your input, it has been extremely helpful in
> this stressful time.
>
> Underfire
>
>
>
> "Steven L Umbach" wrote:
>
>> If possible see if you can identify who is responsible for the
>> maintenance
>> of the problem computers so that they can be looked at or otherwise
>> repaired. You can print out your security logs with the failed logon
>> attempts as backup for your case. Unfortunate that you are limited in
>> what
>> you can do since you also have a NT4.0 domain controller. Beyond trying
>> to
>> assist in identifying the problem computers to those that can repair them
>> your best bet is to try and filter out their IP addresses from your
>> computers either at a firewall, router, or using ipsec policy or
>> filtering
>> their mac addresses if you have access to a managed switch that can do
>> such
>> for your network.
>>
>> Only Windows 2000/2003/XP Pro computers are ipsec capable. Ipsec is a
>> somewhat advanced topic particularly when it is used to encrypt network
>> traffic and require computer authentication for access to another ipsec
>> enabled computer but it is fairly easy to configure an ipsec policy that
>> uses rules with permit and block filter actions to restrict traffic to
>> act
>> as a basic packet filtering firewall. Ipsec also has a tremendous
>> advantage
>> in that it can be managed via Group Policy for consistent and easy
>> application to a group of computers. If you decide to try and use ipsec
>> "negotiation" policy that would use ESP/AH be sure to test out thoroughly
>> ahead of time and understand that domain controllers must be exempt from
>> ipsec ESP/AH traffic from domain members since domain controllers are
>> used
>> for kerberos authentication.
>>
>> http://www.securityfocus.com/infocus/1559 --- ipsec filtering info.
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
>>
>> "Underfire Tech" <Underfire Tech@discussions.microsoft.com> wrote in
>> message
>> news:4E2642D6-7048-445B-8EFA-B0ECCE6A3EB4@microsoft.com...
>> >I am a pretty good desktop tech who has been thrust into server admin. I
>> >have
>> > 2 domain controllers, one 2003, one NT and support the finance
>> > departments
>> > of
>> > a small University.
>> >
>> > I have enabled strong passwords on the 2003 server and have setup
>> > lockouts
>> > on both after 5 incorrect attempts for 5 minutes.
>> >
>> > Multiple machines on campus, not under my control, have been infected
>> > or
>> > otherwise compromised and are walking through my userbase attempting
>> > logins
>> > and locking out the accounts on both machines.
>> >
>> > I recently disabled anonymous SAM listing apparently to no avail.
>> >
>> > I am asking for any insight, help, suggestions, or anything I can do
>> > other
>> > than simply letting these attemps go rampant and disabling lockout.
>> >
>> > Even though we use DHCP (with quite long leases) I am considering
>> > blocking
>> > all TCP except from each of my users (approx 70) as this situation as
>> > it
>> > stands is unacceptable and adding an IP every week or so is much better
>> > than
>> > the ordeal I endured all day today.
>> >
>> > Thank you for your help.
>> > Underfire Tech
>>
>>
>>

Relevant Pages

  • Re: domain users force only local server access
    ... You can restrict computers using ipsec policies. ... complex topic and domain controllers need to be exempt from any policy to ...
    (microsoft.public.win2000.security)
  • Re: Isolate systems
    ... If you have access to the firewall, you might be able to configure what IP ... filtering policy on your computers which is a policy that uses rules with ... Ipsec policies are best when trying to configure for a subnet ... network layout you may be able to implement ...
    (microsoft.public.win2000.security)
  • Re: XP Firewall Quandry
    ... admin workstations if that would work and possibly even requiring an ipsec ... security association for those exceptions which would not allow computers ... Even the risk of having another network available can be ... enable the Windows Firewall in both domain and standard policy. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Preventing PCs from accessing the network
    ... Ipsec policies can be used to prevent non domain computers from accessing domain ... resources if the resource computer has a "ipsec require" policy. ... or port isolation. ...
    (microsoft.public.win2000.networking)
  • Re: Anyone can browse my network
    ... You mention firewall but that will normally only prevent access from the ... internet unless the firewall is used to protect a network segment of your ... network infrastructure or possibly ipsec implementation on the domain. ... before an ipsec session can be created between two computers. ...
    (microsoft.public.security)