Twillert
asked on
Block domains/pc-names to login w2k
Windows2000 Advanced Server. No domain but workgroup. Some 20 users.
Someone outside seems able to get our userlist. We have changed usernames but somehow the new usernames seems to be know in short time.
Now he is trying to login using each username from the list using some kind of password generator.
The policy is set up to lock after 5 failing login attempt.
A couple of times each day each user is accessed with teh generator until all the users are locked. Or, worse case, finding a password!
From the eventlogs I can see his/her domain-name and pc-name. Trying to catch is IP is usesless as different IPs are being used.
Is there a way to allow only known domains or pcnames to login and therefore block the unknown ?
Or does someone know a tool to block someone for long time whenever he does a certain number of successive failing login attemps.?
Appreciate anyones help
Herman
Someone outside seems able to get our userlist. We have changed usernames but somehow the new usernames seems to be know in short time.
Now he is trying to login using each username from the list using some kind of password generator.
The policy is set up to lock after 5 failing login attempt.
A couple of times each day each user is accessed with teh generator until all the users are locked. Or, worse case, finding a password!
From the eventlogs I can see his/her domain-name and pc-name. Trying to catch is IP is usesless as different IPs are being used.
Is there a way to allow only known domains or pcnames to login and therefore block the unknown ?
Or does someone know a tool to block someone for long time whenever he does a certain number of successive failing login attemps.?
Appreciate anyones help
Herman
well, first i would make sure that the uses have passwords that are not in a dictionary, this is always a good idia.
ex.
d00b@d1sb@d
with a password like tha tyou could set the account lockout to like 50 and lock it for less time and probably never have a problem
another good idia is look thorugh your securites - change "everyone" to "authenticated users"
What type of incoming connections do you need? - Do people need to login remotly?
If you use remote desktop to login - may i sujest locking down all connections excpet for at one pc. At that location setup restricionts to all but 1 login (if lots of users use remote desktop to get in this will not fit you needs.
Also, if you are using 2000adv server, why not dcpromo?
ex.
d00b@d1sb@d
with a password like tha tyou could set the account lockout to like 50 and lock it for less time and probably never have a problem
another good idia is look thorugh your securites - change "everyone" to "authenticated users"
What type of incoming connections do you need? - Do people need to login remotly?
If you use remote desktop to login - may i sujest locking down all connections excpet for at one pc. At that location setup restricionts to all but 1 login (if lots of users use remote desktop to get in this will not fit you needs.
Also, if you are using 2000adv server, why not dcpromo?
remote desktop is port 3389 by the way / get some router logs, and see what port the uses are loging in on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jesus- forgot a very important one... restrict the registry- go to services- and stop the "remote registry service" and then set it to disable... very important.
Cheeba