This has been a long week. We finally made the RestrictAnonymous=1 setting this weekend to combat what looked like "Gaobot" infections locking out thousands of accounts. Gave the PDCe a good run for the money with all the lock/unlock activity going on.
The odd thing is, shortly after we put the settings in place and bounced all the domain controllers, it still happened. The bottom line being, a two fold situation. One, an infection of sdbot, causing lockouts... the other we discovered on a sniff of one of the DCs showing ridiculously high # of packets originating from one machine. Finally in the clear for now... Problem is, any script written to enumerate objects w/ a normal or logged-on user account and attempt a dictionary list of passwords is going to cause this same problem. Any of you guys have lockout policies in place... and if so... what steps have you taken to mitigate these lockout storms? Thanks! Marcus
<<attachment: winmail.dat>>
