Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Active Directory Lockout Log Tools

From: "Curtis, Bruce" <bruce.curtis () NDSU EDU>
Date: Mon, 29 Oct 2018 16:50:54 +0000
We have seen similar lockouts due to brute force password attempts.

I don’t know if things have changed but when we saw the issue the central AD logs had the IP number of the device that 
was being targeted in the brute force password attempt against the RDP port.  But the central AD logs did not contain 
the IP number of the source of the brute force password attempts.

Depending on what services is being attacked with the brute force password attempts you may be able to change the 
service to use a different port than the default port.

https://winaero.com/blog/change-rdp-port-windows-10/

https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop


There are tools that can be run on clients that function like fail2ban does on Linux.

Here are two examples.

wail2ban - https://github.com/glasnt/wail2ban

RDPGuard - https://rdpguard.com/

Another option is to change the service on the client being attacked to use native IPsec.

https://blogs.technet.microsoft.com/askpfeplat/2017/07/24/securing-rdp-with-ipsec/

https://it.cornell.edu/managed-servers/secure-windows-traffic-ipsec

https://www.youtube.com/watch?v=vewKC3-fbFo



It is a good idea to use multi factor for services like RDP but that does not prevent the lockouts.

https://duo.com/docs/rdp

On Oct 29, 2018, at 10:38 AM, Justin Hensley <justin.hensley () UCUMBERLANDS EDU<mailto:justin.hensley () UCUMBERLANDS 
EDU>> wrote:

Hello All:
We have been encountering an increased occurrence of user accounts being locked due to our AD lockout policy.  In the 
past, almost all of these issues have been due to a user having a bad password in one of our university systems that 
kept attempting to autologin and caused the lockout.  However, we now believe that attackers are attempting to brute 
force the password with a known username on some accounts.  Would anyone have an suggestions on a quicker way to track 
this activity back to an IP than sorting through all the AD logs?  Are there any tools out there to help with this?

Thanks.

Justin O. Hensley, CEH, CISSP
University of the Cumberlands
Director of Information Security
Division of Information Services
Gatliff Administration Building | Lower Level | Room 008
104 Maple Street, Williamsburg, KY, 40769
606.539.4197 Office | 606.280.3114 Mobile | 606.539.4144 Fax
justin.hensley () ucumberlands edu<mailto:justin.hensley () ucumberlands edu>
www.ucumberlands.edu<http://www.ucumberlands.edu/>

CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.

---
Bruce Curtis                         bruce.curtis () ndsu edu<mailto:bruce.curtis () ndsu edu>
Certified NetAnalyst II                701-231-8527
North Dakota State University
Previous By Date Next
Previous By Thread Next

Current thread: