Hi, recently I have lots of automated logon attacks. Due to circumstances I can't change, my Server (Windows Server 2008 R2) has a public IP and is not placed behind a firewall. How does an attacker get all my accounts? And can I prevent it? The passwords are strong enough to resist, but the users complain about locked out accounts. Here is what it look like: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: John Doe Account Domain: USTLIMIA Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: USTLIMIA-SRV Source Network Address: 87.103.xxx.xxx Source Port: 1441 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 [Names and IPs altered] In my Group Policies I changed some settings without success: Network access: Allow anonymous SID/name translation -> disabled Network access: Do not allow anonymous enumeration of SAM accounts -> enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares -> enabled The Group Policy "Network access: Do not allow anonymous enumeration of SAM accounts" warns, that it has no impact on domain controllers. Does this mean I can't stop this? Does the Windows Firewall offer any solution? Regards Jens

Hi since you are srv does not have any protection and also have a public ip it mean that is a very very good target... 1st check that you don't have any trojan (probably who have) 2nd that you don't use defaults pass like: p@ssw0rd , qwerty etc. Since you are sure that you have the basic security like all updates, any endpoint security, stop services which you dont need it, dont run (publish) any rpc service (probably u are) etc. Byu a filewall :-) dkotix

Hi since you are srv does not have any protection and also have a public ip it mean that is a very very good target... 1st check that you don't have any trojan (probably who have) 2nd that you don't use defaults pass like: p@ssw0rd , qwerty etc. Since you are sure that you have the basic security like all updates, any endpoint security, stop services which you dont need it, dont run (publish) any rpc service (probably u are) etc. Byu a filewall :-) dkotix All updates, no Trojans/Viruses and a Windows Firewall! ;-) Your post does unfortunately not help me finding out how an attacker comes to know my accounts. Any idea? Jens

since you have enable the firewall check the log/traffic.... type netstat -a and check the listening port to see if you have any backdoor. The av is a first level security, this it doesn't mean that can stop a trojan through port 80 for ex. Are u sure about your internal user..? Begin a silent investigation.. first check where the traffic comes from. dkotix

since you have enable the firewall check the log/traffic....type netstat -a and check the listening port to see if you have any backdoor.The av is a first level security, this it doesn't mean that can stop a trojan through port 80 for ex.Are u sure about your internal user..? Begin a silent investigation.. first check where the traffic comes from.dkotix Hello Jens,This is a very scary situation. I would hate to be in your shoes. Please see: http://www.wonderdrug.com/Check your Windows Firewall settings, you should not be getting network logon type 3 on the Public interface. This is a problem. Are ports 137-139, 445 open?When you say "users" are you talking about 1 user or more? If an attacker has enumerated numerous account names, it's likely he has enumerated your AD or LDAP. Scary. If it's just 1, it can be a Social Engineering tact which is a very targeted type of attack. Usually the attacker is aware of (or has an ide about) valuable information that may be obtained via that user's credentials.First thing on my mind would be to get the server behind a packet filter firewall or off the net until you get things under control. A brute force password attack will eventually prevail if given enough time. Luckily you have a lockout policy in place and good passwords policies. You can also complain to source IP's ISP (www.arin.net). Getting a good packet filter firewall is my recommendation. With a packet filter firewall, you can block the source traffic and end of story. Check out Sonicwall or Multi-tech if you are on a budget, they are reasonably priced ($ 250-400).To answer your question, here's how someone can enumerate your user name(s):1. Social Engineering - Calling by phone, asking for CEO's or IT's email address to send him info, etc.2. Inside User who has access to AD users list (from outlook, etc.)3. Keystroke Loggers and/or Network Sniffing4. Spyware/Malware5. Mailing lists enumeration (DB's, chain letters, etc) 6. Search Engines/unsecured pages / exposed private pages (Web Sites, Web Pages, Intranets, Forms, HTML, ASP, etc)7. AD/LDAP EnumerationCheck out these links:Hack tools to enumerate:http://netsecurity.about.com/cs/hackertools/a/aafreeenumtool.htmCheck your open ports using Shields uphttp://www.grc.com/default.htmQuick relief for your computing headacheshttp://www.wonderdrug.com/Miguel Fra / Falcon ITS Miguel Fra www.falconits.com

Thank you for answering my questions. Tried a few of the enum tools. Worked great! :-( So I guess #7 is (was!) my problem. Until I can move my net behind a firewall (planned for sometime in the mid future) I closed the ports you mentioned above. That stopped the automated attacks. Thanks again, Jens

Hi Jens, Glad it worked out for you. Please consider closing ALL your ports except the necessary ones, i.e. if you use IIS open port 80, etc, but any ports you do not specifically have need to be accessed from the WAN, CLOSE THEM!!!!!! Also, make sure the server is patched with the latest security updates!! Cheers, Miguel Fra Falcon IT ServicesMiguel Fra www.falconits.com