I haven't seen anything that locked out normal user accounts, I have seen MUMU which locked out local admin ID's. I would expect this new one you describe is probably doing the same as well.
Our solution was to start smacking people using local admin ID's because they weren't supposed to be anyway, they were all supposed to use domain accounts and the only ID's that would be local ids and admin on the machines holding the IDs are the domain admins which is my group and only affects three people instead of thousands. Note that disabling the anonymous enumeration on domain controllers can have some interesting effects that you should watch for. For instance if you want to populate an ACL or group on a machine and you aren't logged into the machine with a domain ID it won't be able to directly enumerate users and groups for the domain and you can either be presented with an authentication box to authenticate as a domain user or it may just fail outright. joe > _____________________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh > Sent: Sunday, November 02, 2003 12:21 PM > To: [EMAIL PROTECTED] > > This has been a long week. We finally made the RestrictAnonymous=1 > setting this weekend to combat what looked like "Gaobot" infections > locking out thousands of accounts. Gave the PDCe a good run for the money > with all the lock/unlock activity going on. > > The odd thing is, shortly after we put the settings in place and bounced > all the domain controllers, it still happened. The bottom line being, a > two fold situation. One, an infection of sdbot, causing lockouts... the > other we discovered on a sniff of one of the DCs showing ridiculously high > # of packets originating from one machine. Finally in the clear for > now... > > Problem is, any script written to enumerate objects w/ a normal or > logged-on user account and attempt a dictionary list of passwords is going > to cause this same problem. Any of you guys have lockout policies in > place... and if so... what steps have you taken to mitigate these lockout > storms? > > Thanks! > > Marcus
<<attachment: winmail.dat>>
