Educause Security Discussion mailing list archives
Re: Domain Controller Attacks
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Fri, 14 Oct 2005 11:47:22 -0400
Several worms (e.g. Mytob, Spybot, SDbot AKA IRCbot) will attempt to propagate via file shares on the local network by establishing file shares using enumerated accounts (e.g. from the AD) using dictionary and brute force attacks on the account passwords. This can show up as a lot of account lockouts (or lock downs if you have automatic account unlock policies after a lockdown period) on your ADs. The worms often aren't even attacking AD servers directly -- they are just mapping drives. However if a privileged account is cracked the worm may breach an AD server next (so don't allow passwords for forest/domain admin accounts -- only smart tokens, and internally block as many ports on the AD/DC in an internal firewall as you can). Also (regarding AD / DC security ) -- because of Tuesday's Patch updates : 1. WindowsUpdate is not always 100% correct -- it is possible to be missing critical patches even when WindowsUpdate reports a computer as up to date (even against Microsoft's servers as opposed to local SUS/WUS/ WSUS servers). 2. Patches sometimes fail to install/apply. Particularly there is a reported problem (see SANS ISC today -- isc.sans.org ) with the MSDTC/COM+ patch. For this reason it is a recommended effective practice to also (in addition to WindowsUpdate) regularly run MBSA (Microsoft Baseline Security Analyzer) on your AD servers to find out if they are missing critical patches. - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS On Oct 14, 2005, at 10:58 AM, Wayne Bullock wrote:
Our Systems group that runs our Microsoft domain controllers are complaining about automated attacks that systematically attempt to breakin into accounts. Their main concern is that accounts become blocked after 3 attempts. So, this is felt by users as a DoS. The legitimate users can't authenticate. Working with Security they believe thinks it's some type of virus that appears to be going around on student's machines. Is anyone else seeing this? Wayne Bullock Associate Director, Network Services Florida Atlantic University
Current thread:
- Domain Controller Attacks Wayne Bullock (Oct 14)
- <Possible follow-ups>
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)