Re: Domain Controller Attacks

[David Taylor <ltr () ISC UPENN EDU>]

Are these domain controllers behind a firewall?  

If this is a virus that is going through and is able to enumerate the
accounts of the domain and launch attacks against the user accounts it would
seem that null sessions are enabled on these servers.  Null sessions allow
anonymous enumeration of various server data which includes listing user
accounts.  Disabling null sessions on the servers should fix this problem
for the most part.


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshielders
http://freenode.net/



-----Original Message-----
From: Wayne Bullock [mailto:wayne () FAU EDU] 
Sent: Friday, October 14, 2005 10:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Domain Controller Attacks


Our Systems group that runs our Microsoft domain controllers are
complaining about automated attacks that systematically attempt to
breakin into accounts. Their main concern is that accounts become
blocked after 3 attempts. So, this is felt by users as a DoS. The
legitimate users can't authenticate.

Working with Security they believe thinks it's some type of virus that
appears to be going around on student's machines. Is anyone else seeing
this?

Wayne Bullock
Associate Director, Network Services
Florida Atlantic University