Block domains/pc-names to login w2k

Windows2000 Advanced Server.   No domain but workgroup. Some 20 users.
Someone outside seems able to get our userlist. We have changed usernames but somehow the new usernames seems to be know in short time.
Now he is trying to login using each username from the list using  some kind of password generator.
The policy is set up to lock after 5 failing login attempt.
A couple of times each day each user is accessed with teh generator until all the users are locked. Or, worse case, finding a password!
From the eventlogs I can see his/her domain-name and pc-name. Trying to catch is IP is usesless as different IPs are being used.

Is there a way to allow only known domains or pcnames to login and therefore block the unknown ?
Or does someone know a tool to block someone for long time whenever he does a certain number of successive  failing login attemps.?

Appreciate anyones help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

So is this person getting access through Remote Access? If you don't have any external users, ensure that none of them have dial up access.  or go with a firewall or a router, a simple one even, since you do have that many users.

well, first i would make sure that the uses have passwords that are not in a dictionary, this is always a good idia.  



with a password like tha tyou could set the account lockout to like 50 and lock it for less time and probably never have a problem

another good idia is look thorugh your securites - change "everyone" to "authenticated users"

What type of incoming connections do you need? - Do people need to login remotly?

If you use remote desktop to login - may i sujest locking down all connections excpet for at one pc.  At that location setup restricionts to all but 1 login (if lots of users use remote desktop to get in this will not fit you needs.

Also, if you are using 2000adv server, why not dcpromo?
remote desktop is port 3389 by the way / get some router logs, and see what port the uses are loging in on.
Rich RumbleSecurity SamuraiCommented:
First- there are a ton of details we'll need- but I'll try to be general
Now you asked how he's getting you Usernames- easily. Many,many tools are out there for this, one of the first was  (well it worked the best)    userdump. An even easier way, and one built into windows, is the management console. Right-click My computer, go to manage, then right click "Computer Management (Local)" then "connect to another computer..." enter the IP or name in the line... tada! If your not locked down, or missing certain windows patches... you can list them all right there-  sometimes you have to create a session first, but that's easy, the scanning tools today do that for you. I recommend you scan yourslef with GFI Languard Network Scanner- it's free for 30days and will tell you most everything that this person is able to see. That way you'll know where to start fixing.

You need a firewall. I recommend ZoneAlarm for a software solution (the cheapest from my suggestions) and cisco PIX hardware firewall, and almost equally to the PIX a linux box, doesn't have to be very special 333 p3 256ram would be more than enough for a dedicated FW. You also need antivirus software- norton and mcafee are great products. If they do get in, and install trojan software, then you may never know without AV! With a firewall, you can allow ONLY the known good users. and deny everything else. The way you Know them is by IP address. ZoneAlarm will do an excellent job for you in this case. It's easy to use, you practically click everything... it does take some initial work when it's first set up, but all firewalls do. ZoneAlarm can also deny access to applications, it's very useful- please explore it

Failing you being able, or willing to obtain a firewall solution, then you need to restrict anonymous sessions.
Please read that throughly- it's very well said- restrict anonymous 2 might break your ability to connect- please test-

one of your built in friends in windows 2000/xp is the security policy snapin. on the run line type:
expand- local policies
                   highlight "Security options"
restrict anonymous is the first setting, right click it, POLICY, and in the drop down select "do not allow enumeration of SAM accounts and shares" this is restrict anon 1 (2 is no access without explicit...) btw- some tools can by-pass restrict anon1 so experiment with anon2
you may also want to enable "do not display last user name in logon screen" i think it' s the 15th 16th one... (i assume people are Terminal servicing into this box another detail we need;)
also read this (Prevent Windows from Storing a LAN Manager - a weak weak hash- )

you can change the Terminal serivce port, HOWEVER you will have to change a setting on each person's PC that you want to allow in the TS server.
read this:  (i do recommend trying it- but if you have someone new come along that needs to connect, be sure you remember to do this for them ;)

Now, windows password hash's suck, I can crack them faster than *nix,bsd,des,3des etc... the algorythim is 20 years old, created by IBM- then in like 98 M$ modified it to be case sensitive, and even that is weak, dictionary attack is a sure bet for most people, and purdue's ftp server has some great list's. John the ripper is the fastest at LanMan and NTLM- l0pht-crack is a windows only application, it hasn't been ported to another OS, windows is slow. Obtaining the SAM database is also pretty easy- espically if your users have ADMIN priv's on that server. if this guy get's in one account, then uses Pwdump3e.exe he'll have the database with all your users in it, along with names. Never give users ADMIN unless they need it. have them use RUNAS and let them know of an account with admin privs. read run-as (you can also highlight and icon and hold shift then right click the icon on your desktop to do this)

Security isn't a program, it's a process.... never ever stop saying this :)
I recommend you read the hacking exposed series of books. whew that's a lot of typing.... good luck... google will help you out if my instructions are very detailed enough...

in summary.
Scan yourself
apply the patches you need,
get a firewall, at the very least an antivirus solution.

lookinto this thread for the strongest passwords ( I agree with Neosporin) alt+255 (users however are not that bright- so not recomended- read carefully and test for yourself- alt+255 can't be passed by very many apps)

wow... GL!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
jesus- forgot a very important one... restrict the registry- go to services- and  stop the "remote registry service" and then set it to disable... very important.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.