2

My Windows Server 2008 Domain Controllers are getting hundreds of log in attempts per minute. For the most part the IP addresses are not in the Event Log however the ones that do occasionally show up tend to be from an Anonymous surfing site. However, when we block an IP address the attack just moves to a different site. All of the attempts are using legitimate account names. This is causing a high number or account lockouts. Can I configure Windows firewall to deny IP addresses that aren't on my local network?

  • 3
    wait, did i read this correctly - you have a DC on the internet without any kind of firewall blocking windows auth/SMB-CIFS ports? – Zypher Jun 11 '09 at 00:49
  • Apparently the firewall is not configured correctly. What do I need to block to prevent outside login attempts? –  Jun 11 '09 at 14:39
  • Correctly? It sounds like your firewall is barely configured at all! I strongly suggest blocking everything by default then opening up the things you need. – Rob Moir Jun 15 '09 at 17:53

4 Answers4

7

You should configure your perimeter firewall to not allow non-internal IP's to access your domain controllers (frankly they shouldn't access any systems on your internal IP's, they should go to a DMZ). If you're not getting IP's in the event logs you may want to capture packets and determine the source of these attacks.

David Yu
  • 1,032
  • 7
  • 14
2

First thing I would do is disconnect your internet connection until you have got some security in place. At least this will stop your account lock-outs.

David's suggestion of blocking all access to internal IP's and then implementing a DNZ are probably to right way to proceed.

benPearce
  • 321
  • 5
  • 11
0

I don't have a 2008 system to hand, but the XP firewall (and Server 2003 firewall) have an option to block access to non-local accounts. It will take some tuning, but it is there. You just have to turn it on. Depending on the complexity of your network you may need to specify a netblock rather than use the "local network" click-box, otherwise your DC won't be able to talk to other DC's or log legitimate users in.

The fact that they have legitimate login names suggests you have an internet-facing surface where they were able to pull this data. Perhaps your Global Catalog ports are visible. With that, targeting an attack is much easier.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
0

Go to your firewall policy on your domain controllers, and configure them to drop all traffic that is not coming from your internal network.

If you absolutely need some external traffic coming in (e.g. you are a small business and are running SBS or RRAS) then allow the ports they require on a case-by-case basis.

This page will get you started on configuring an appropriate firewall on your 2008 server:

http://technet.microsoft.com/en-us/network/bb531150.aspx

and if you want to jump right into the interface:

http://technet.microsoft.com/en-us/library/cc730971(WS.10).aspx (SF breaks the URL a bit)

Neobyte
  • 3,179
  • 1
  • 26
  • 31