Educause Security Discussion mailing list archives
Re: Active Directory Lockout Log Tools
From: "Curtis, Bruce" <bruce.curtis () NDSU EDU>
Date: Mon, 29 Oct 2018 16:50:54 +0000
We have seen similar lockouts due to brute force password attempts. I don’t know if things have changed but when we saw the issue the central AD logs had the IP number of the device that was being targeted in the brute force password attempt against the RDP port. But the central AD logs did not contain the IP number of the source of the brute force password attempts. Depending on what services is being attacked with the brute force password attempts you may be able to change the service to use a different port than the default port. https://winaero.com/blog/change-rdp-port-windows-10/ https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop There are tools that can be run on clients that function like fail2ban does on Linux. Here are two examples. wail2ban - https://github.com/glasnt/wail2ban RDPGuard - https://rdpguard.com/ Another option is to change the service on the client being attacked to use native IPsec. https://blogs.technet.microsoft.com/askpfeplat/2017/07/24/securing-rdp-with-ipsec/ https://it.cornell.edu/managed-servers/secure-windows-traffic-ipsec https://www.youtube.com/watch?v=vewKC3-fbFo It is a good idea to use multi factor for services like RDP but that does not prevent the lockouts. https://duo.com/docs/rdp On Oct 29, 2018, at 10:38 AM, Justin Hensley <justin.hensley () UCUMBERLANDS EDU<mailto:justin.hensley () UCUMBERLANDS EDU>> wrote: Hello All: We have been encountering an increased occurrence of user accounts being locked due to our AD lockout policy. In the past, almost all of these issues have been due to a user having a bad password in one of our university systems that kept attempting to autologin and caused the lockout. However, we now believe that attackers are attempting to brute force the password with a known username on some accounts. Would anyone have an suggestions on a quicker way to track this activity back to an IP than sorting through all the AD logs? Are there any tools out there to help with this? Thanks. Justin O. Hensley, CEH, CISSP University of the Cumberlands Director of Information Security Division of Information Services Gatliff Administration Building | Lower Level | Room 008 104 Maple Street, Williamsburg, KY, 40769 606.539.4197 Office | 606.280.3114 Mobile | 606.539.4144 Fax justin.hensley () ucumberlands edu<mailto:justin.hensley () ucumberlands edu> www.ucumberlands.edu<http://www.ucumberlands.edu/> CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. --- Bruce Curtis bruce.curtis () ndsu edu<mailto:bruce.curtis () ndsu edu> Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- Active Directory Lockout Log Tools Justin Hensley (Oct 29)
- Re: Active Directory Lockout Log Tools Taylor Randle (Oct 29)
- Re: Active Directory Lockout Log Tools Davis, Chris (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Wilcox (Oct 29)
- Re: Active Directory Lockout Log Tools Nicholas Garigliano (Oct 29)
- Re: Active Directory Lockout Log Tools Curtis, Bruce (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Kelly (Oct 29)
- Re: Active Directory Lockout Log Tools Childs, Aaron (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Ledbetter (Oct 29)
- <Possible follow-ups>
- Re: Active Directory Lockout Log Tools Samih Ajrouch (Oct 30)
- Re: Active Directory Lockout Log Tools Taylor Randle (Oct 29)