|
Posted by just bob on March 16, 2008, 9:29 pm
Please log in for more thread options
The guy just created a user account called "sorry". Strange he did not give
it domain admin access.
> Hey Bob, Didn't we talk before on this? I recall advising WireShark.
>
> However, reading the below I'm getting a better impression of what is
> happening. Microsoft IS giving you the correct information to find the
> person doing this, depending on how you have things running.
>
> Forgive me if below I'm going too 'low level', it's pretty basic stuff,
> but your mail sounds like your at the end of your rope, and I just want to
> make sure we've covered all the bases, including the obvious ones.
>
> From what your writing this sounds like a brute force password guessing
> tools that is being used against your administrative accounts. To start
> there's a few things your can do with group policies to at least make sure
> you don't get into trouble, while making things harder for the 'hacker'.
>
> The following steps are just to 'temporarily protect yourself' while
> investigating further, to make sure you accounts aren't getting locked
> out. Again: I'm not trying to sound demeaning, just covering the
> bases/basics, so I'll go through every step, even though this may be
> peanuts for you.
>
> Chapter one: protection.
>
> In the Group and Policy Manager; make sure to edit the Default Domain
> Policy and go to the Windows Settings\Security Settings\Account Lockout
> Policy.
>
> Define the Account lockout duration to be not defined
> Account lockout threshold: 0 invalid logon attempts
> Reset account lockout counter after: not defined
>
> Now your accounts will no longer be locked out. Be careful, as this also
> allows the hacker to run his tools now unlimitedly against the accounts.
> (the lockout slowed him down considerably). I'm only proposing this as you
> point our that you fear losing your administrative accounts, but put this
> lockout threshold back in place a.s.a.p. if you decide to go this route in
> the first place.
>
>
> Chapter two: identifying the hacker
>
> This we can do by making sure Audit account logon events are being audited
> correctly. To do this, we again are using Group Policy Management and
> we'll define the Default Domain Controllers Policy. INthat policy, go to
> Windows Settings\Security Settings\Local Policies/Audit Policy and make
> sure to change 'Audit account logon events'. See to it that Success as
> well as Failure (especially that one) are being logged.
>
> To ensure your Domain controllers have the policy applied as quickly as
> possible you might consider runninf 'GPUpdate /force' from the command
> prompt on your CD's. Otherwise allow some time to pass.
>
> Now each logon event will get logges in the eventlog, with the IP address
> of the person attempting to logon. The problem is that a user can logon
> using any domain controller, however; each failed logon on any DC gets
> 'double checked' by that DC by sending it to the domains PDC emulator (on
> of the FSMO roles as you may recall) so it makes most sense to check the
> eventlogs of the PCD emulator Domain Controller. You can easily find out
> who the PDC emulator is by opening Active Directory User and computers,
> right-clicking your domain name, and selecting 'operations masters'.
>
> The event-ID you are looking for is event: 575, Source: Security,
> Category: Account Logon.
>
> In the Description field you can see the user name of the account being
> attempted, but more importantly: the IP number of the system from where
> the attempt is being done.
>
>
> I hope this helps you, sorry for wasting your time if you had already done
> the above.
>
> regards,
>
> Paul
>
>
>
>
> just bob wrote:
>> Microsoft wizards please help me as I am desperate. Someone continues to
>> lock all my admin accounts. My firewall is working properly (allowing
>> only port 53) so I think the guy is using one of the 120 PC's or another
>> server on my network to read my user database and identify the admin
>> accounts and send a command to lock them. We've got the latest Symantec
>> antivirus corporate edition installed and updated on all the machines and
>> it's supposed to identify spyware, etc. Why is it so easy for this guy to
>> do this? I have downloaded all the high priority updates for all
>> machines, servers and PC's. We've also used the server lockdown tool. Why
>> doesn't this help? Most importantly, why does Microsoft not give me more
>> detailed info on which machine this guy is using? The event log just has
>> a random spoof machine name. Last time he did this he spoofed the machine
>> name field to say "sorry". I got lucky there was one admin account he
>> missed and I was able to unlock the accounts. Next time I fear I will not
>> be so lucky.
>>
>> If there is a better group or forum to use or consultant I can call to
>> get help please advise.
| 
XML Sitemap