Educause Security Discussion mailing list archives
Re: Domain Controller Attacks
From: "Bowden, Zeb" <zbowden () VT EDU>
Date: Fri, 14 Oct 2005 14:43:54 -0400
Not sure if this is helpful or not but if you're having trouble with people enumerating your domain user accounts (thus allowing them to lock them quickly and easily): http://support.microsoft.com/default.aspx?scid=kb;en-us;246261 (for Windows 2000) http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/f7151ee4-e4cf-460e-b641-0329af1838ad.mspx (for Windows 2003) Of course this setting can break quite a few legacy apps (or even break trusts with NT4) so you'll have to be careful with it... Zeb Bowden VT.SETI.IAD.MIG:Systems Architect http://vtmig.w2k.vt.edu zbowden () vt edu -----Original Message----- From: Wayne Bullock [mailto:wayne () FAU EDU] Sent: Friday, October 14, 2005 2:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Domain Controller Attacks Thank you for your response and confirming that this is a virus. So far, we have been playing "whack a mole" on this. I'm just wondering if there isn't something better. We have been trying the Cisco IDSM-2 and trying to identify the attack that way. So far it hasn't registered. We are working with Cisco on this. I'm trying to catch this thing in a bottle and maybe develop some type of signature we can feed into an IPS. Does anybody already have such a signature? Thank you for all your help, --Wayne Wayne Bullock Associate Director, Network Services Florida Atlantic University -----Original Message----- From: Hoffman, Michael [mailto:mhoffman () SBU EDU] Sent: Friday, October 14, 2005 11:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Domain Controller Attacks We have seen this in the past, and it has always been a virus. We used netmon on our domain controllers to determine the IP addresses of the requests, and then cleaned the infected machines. Michael S. Hoffman Executive Director for Information Technology St. Bonaventure University mhoffman () sbu edu 716-375-2530 http://www.sbu.edu -----Original Message----- From: Wayne Bullock [mailto:wayne () FAU EDU] Sent: Friday, October 14, 2005 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Domain Controller Attacks Our Systems group that runs our Microsoft domain controllers are complaining about automated attacks that systematically attempt to breakin into accounts. Their main concern is that accounts become blocked after 3 attempts. So, this is felt by users as a DoS. The legitimate users can't authenticate. Working with Security they believe thinks it's some type of virus that appears to be going around on student's machines. Is anyone else seeing this? Wayne Bullock Associate Director, Network Services Florida Atlantic University
Current thread:
- Domain Controller Attacks Wayne Bullock (Oct 14)
- <Possible follow-ups>
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)