Multiple Logon Failures, Forign Domain from Outside Adapter

[Phil]

Hello All

This is a somewhat pressing security issue. Earlier today
I noticed that all of my users accounts in our domain were
being locked out. Enabling auditing showed that some
domain I never heard of was attempting to logon to each,
locking them out, and then moving on. When I disabled the
outside adapter for this machine, of course, the attack
stopped. Leaving it disabled for about 10 mins seems to
have stopped the attacker for now (havnt had any attempts
in past 30 mins). My question is how do I prevent
connections coming from the outside adapter from
attempting to log in? Failing that, is there any way I
can find the IP address (since the log only offers the
domain name) and block that IP address from even
attempting a connection? Any help would be greatly
appreciated.

 

[Steven L Umbach]

Hi Phil.

I would have to question if your firewall is properly configured as it
should block those attempts. Go to http://scan.sygatetech.com/ to see if it
reports netbios ports being exposed, particualrly 139 and 445. A firewall
should be set up with a default block all rule and then any exceptions
created for authorized access. Also disable file and print sharing and
netbios over tcp/ip [tcpip/advanced/wins] on your external adapter assuming
it is enabled which I bet it is. If file and print sharing is not needed on
that computer to offer shares or being remotely managed by Computer
Management, then uninstall it from the machine. Hopefully your computers
have not been compromised with a worm/trojan, and I would sugeest checking
such as soon as you get things in order. --- Steve