Then you install a sniffer or firewall on the local host doing the
authentication [e.g. I would think this would be every domain controller]
and correlate the firewall log entries with the windows security log entries
to determine the IP address where these are coming from. That then helps
you determine where they're from.
A sniffer might be safer for domain controllers, as you dont want to do
packet filtering willy nilly on your DC, and I once had Sygate screw up a
domain controller and I had to remove the registry entries for the IP stack
after rebooting into Directory Services recovery mode, very scary stuff to
go through. Or, if you want to be really safe, put an inexpensive hardware
firewall device like
www.linksys.com or
www.netgear.com starting around $75
in front of the DC and use syslog such as the free
www.kiwisyslog.com to
capture the logs from the firewall. Probably not as good as a sniffer as
the logs from an entry level linksys are very basic and hard to decipher on
a busy DC, and you might need one for each DC to do it right, but on the
other hand, this shouldn't require installing new software on your DC.
John said:
WE are behind a Cisco router using NAT so I am confused on how they can even
get to the computer. It does host the VPN but I see people trying to trying
users names now (by looking at the event log) and there is no connections
being showed in the VPN. We have the latest updates so I am concerned on how
someone could even get our user names to try....
Karl Levinson [x y] mvp said:
Do you have a firewall? If you don't, then anyone can lock out your users
and start guessing passwords from the internet.
You can't get the IP address of the machine without a third party product
such as a firewall or sniffer. There are even free ones:
http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#sniffer
I recommend using some of the software above to see what is going on, from
where. If you do have a firewall, a compromised roaming laptop, remote user
or VPN connection could be other sources.
John said:
Hello,
We just went for NT 4.0 to win2k and running all current SP and
security patches. The users have been getting locked out all of the sudden.
I thought it was due to the misconfiguration of the DNS on the DC
however
I
looked at the security event log and found multiple entries like the one
below. This machine name is not even on our network. How can I prevent this
from happening as it seems someone is trying to get our users password for
access. How are they able to get into our LAN? Could this be generated when
someone is trying to get into our FTP? Thanks in advance..
John