|
Posted by just bob on March 14, 2008, 3:21 pm
Please log in for more thread options What you describe was already done years ago. Using a Cisco firewall there
are no incoming rules allowing access to any of my domain servers from the
internet let alone a DC. Even my Exchange server has a Barracuda mail
gateway in front of it. OK, our OWA server is out in the open, but if
someone had used an OWA login attempt to lock my account I would at least
know where it is coming from as the OWA server event log always reports the
source IP address. Our DC's can only make DNS requests for forwarding
purposes so no outgoing ports are open besides 23.
Somehow the guy is able to send a login request from inside my network, one
which might have more access that it needs, but heck, most of these guys are
coming in on ports you usually need to allow, like 80.
I am going to have to setup a sniffer as someone else suggested.
>i always thought that exposing domain machines directly to the internet was
>a really bad idea. lock the whole network behind a firewall and provide
>vpn access in to users who need it from outside.
>
> meanwhile, rename the account or delete it if you aren't using it.
>
>> Someone is trying to hack one of our (formerly) admin accounts in AD on
>> Server 2003 using a bad password and causing the account to lock and the
>> event viewer shows the login attempt coming from a machine with a name
>> which is not on our network.
>>
>> This has been happening every day at a different time of day and every
>> time the machine name is different. The only constant is the account
>> being attacked is the same every time. It would really help if there was
>> a way to get the IP address and not just the name of the machine. I have
>> looked in our DNS and DHCP database and found no machines we do not
>> recognize.
>>
>> Thank you in advance if you have a suggestion for me.
>>
>> -Bob
>>
>
>
| 
XML Sitemap