Educause Security Discussion mailing list archives

Re: Domain Controller Attacks

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Fri, 14 Oct 2005 11:47:22 -0400

Several worms (e.g. Mytob, Spybot, SDbot AKA IRCbot) will attempt to
propagate via file shares on the local network by establishing file
shares
using enumerated accounts (e.g. from the AD) using dictionary and brute
force attacks on the account passwords.

This can show up as a lot of account lockouts (or lock downs if you have
automatic account unlock policies after a lockdown period) on your ADs.

The worms often aren't even attacking AD servers directly -- they are
just mapping drives.

However if a privileged account is cracked the worm may breach an AD
server
next (so don't allow passwords for forest/domain admin accounts --
only smart
tokens, and internally block as many ports on the AD/DC in an
internal firewall
as you can).

Also (regarding AD / DC security )  -- because of Tuesday's Patch
updates :

1.    WindowsUpdate is not always 100% correct -- it is possible to
be missing
    critical patches even when WindowsUpdate reports a computer as
up to date
    (even against Microsoft's servers as opposed to local SUS/WUS/
WSUS servers).

2.    Patches sometimes fail to install/apply.  Particularly there is
a reported problem
    (see SANS ISC today -- isc.sans.org ) with the MSDTC/COM+ patch.

For this reason it is a recommended effective practice to also (in
addition to WindowsUpdate)
regularly run MBSA (Microsoft Baseline Security Analyzer) on your AD
servers to find out if
they are missing critical patches.

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS



On Oct 14, 2005, at 10:58 AM, Wayne Bullock wrote:

Our Systems group that runs our Microsoft domain controllers are
complaining about automated attacks that systematically attempt to
breakin into accounts. Their main concern is that accounts become
blocked after 3 attempts. So, this is felt by users as a DoS. The
legitimate users can't authenticate.

Working with Security they believe thinks it's some type of virus that
appears to be going around on student's machines. Is anyone else
seeing
this?

Wayne Bullock
Associate Director, Network Services
Florida Atlantic University

Current thread:

Domain Controller Attacks Wayne Bullock (Oct 14)
- <Possible follow-ups>
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)