|
Posted by Paul Weterings on March 17, 2008, 9:30 am
Please log in for more thread options The auditing settings I described logs -an IP address- in the event log
of your PDC DC comptroller, which I think is what you are looking for.
Are you really sure you've got your auditing set up correctly using
group policy?
Once you have the IP address, we're ready for the next step... getting
even ;-)
b.t.w. There is no 'lock' packet, the only way to lock an account is to
attempt to login with the wrong credentials a number of times.
with regards to WireShark; you could filter out Kerberos and/or NTLM, as
these take care of authentication. The rest can be left out.
cheers,
Paul
just bob wrote:
> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking off
> as you describe. Also I'm pretty sure I have my logging setup OK as I am
> using a program to copy the logs from the OM to another machine and also it
> sends me an email when it sees a string which indicates an account is locked
> which is forwarded to my Blackberry. So I got the logging but... the problem
> is the guy is making up random names for the machine and it does not show me
> a IP address.
>
> I used wireshark and am capturing all traffic to the ops master. But I do
> not see any unknown IP addresses and I don't know wireshark well enough to
> know how to look for the packets causing the attack to determine if it *is*
> coming from one of my machines.
>
> Thanks again for your help.
>
>
>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.
>>
>> However, reading the below I'm getting a better impression of what is
>> happening. Microsoft IS giving you the correct information to find the
>> person doing this, depending on how you have things running.
>>
>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,
>> but your mail sounds like your at the end of your rope, and I just want to
>> make sure we've covered all the bases, including the obvious ones.
>>
>> From what your writing this sounds like a brute force password guessing
>> tools that is being used against your administrative accounts. To start
>> there's a few things your can do with group policies to at least make sure
>> you don't get into trouble, while making things harder for the 'hacker'.
>>
>> The following steps are just to 'temporarily protect yourself' while
>> investigating further, to make sure you accounts aren't getting locked
>> out. Again: I'm not trying to sound demeaning, just covering the
>> bases/basics, so I'll go through every step, even though this may be
>> peanuts for you.
>>
>> Chapter one: protection.
>>
>> In the Group and Policy Manager; make sure to edit the Default Domain
>> Policy and go to the Windows Settings\Security Settings\Account Lockout
>> Policy.
>>
>> Define the Account lockout duration to be not defined
>> Account lockout threshold: 0 invalid logon attempts
>> Reset account lockout counter after: not defined
>>
>> Now your accounts will no longer be locked out. Be careful, as this also
>> allows the hacker to run his tools now unlimitedly against the accounts.
>> (the lockout slowed him down considerably). I'm only proposing this as you
>> point our that you fear losing your administrative accounts, but put this
>> lockout threshold back in place a.s.a.p. if you decide to go this route in
>> the first place.
>>
>>
>> Chapter two: identifying the hacker
>>
>> This we can do by making sure Audit account logon events are being audited
>> correctly. To do this, we again are using Group Policy Management and
>> we'll define the Default Domain Controllers Policy. INthat policy, go to
>> Windows Settings\Security Settings\Local Policies/Audit Policy and make
>> sure to change 'Audit account logon events'. See to it that Success as
>> well as Failure (especially that one) are being logged.
>>
>> To ensure your Domain controllers have the policy applied as quickly as
>> possible you might consider runninf 'GPUpdate /force' from the command
>> prompt on your CD's. Otherwise allow some time to pass.
>>
>> Now each logon event will get logges in the eventlog, with the IP address
>> of the person attempting to logon. The problem is that a user can logon
>> using any domain controller, however; each failed logon on any DC gets
>> 'double checked' by that DC by sending it to the domains PDC emulator (on
>> of the FSMO roles as you may recall) so it makes most sense to check the
>> eventlogs of the PCD emulator Domain Controller. You can easily find out
>> who the PDC emulator is by opening Active Directory User and computers,
>> right-clicking your domain name, and selecting 'operations masters'.
>>
>> The event-ID you are looking for is event: 575, Source: Security,
>> Category: Account Logon.
>>
>> In the Description field you can see the user name of the account being
>> attempted, but more importantly: the IP number of the system from where
>> the attempt is being done.
>>
>>
>> I hope this helps you, sorry for wasting your time if you had already done
>> the above.
>>
>> regards,
>>
>> Paul
>>
>>
>>
>>
>> just bob wrote:
>>> Microsoft wizards please help me as I am desperate. Someone continues to
>>> lock all my admin accounts. My firewall is working properly (allowing
>>> only port 53) so I think the guy is using one of the 120 PC's or another
>>> server on my network to read my user database and identify the admin
>>> accounts and send a command to lock them. We've got the latest Symantec
>>> antivirus corporate edition installed and updated on all the machines and
>>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>>> do this? I have downloaded all the high priority updates for all
>>> machines, servers and PC's. We've also used the server lockdown tool. Why
>>> doesn't this help? Most importantly, why does Microsoft not give me more
>>> detailed info on which machine this guy is using? The event log just has
>>> a random spoof machine name. Last time he did this he spoofed the machine
>>> name field to say "sorry". I got lucky there was one admin account he
>>> missed and I was able to unlock the accounts. Next time I fear I will not
>>> be so lucky.
>>>
>>> If there is a better group or forum to use or consultant I can call to
>>> get help please advise.
>
>
| 
XML Sitemap