I thought this went away with SP5... they changed something in their call... ?
_____________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Sunday, November 02, 2003 12:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RestrictAnonymous Settings Keep in mind that with the RestrictAnonymous value set, SMS will not be able to detect the OS of discovered computers. _____________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Sunday, November 02, 2003 12:21 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] RestrictAnonymous Settings This has been a long week. We finally made the RestrictAnonymous=1 setting this weekend to combat what looked like "Gaobot" infections locking out thousands of accounts. Gave the PDCe a good run for the money with all the lock/unlock activity going on. The odd thing is, shortly after we put the settings in place and bounced all the domain controllers, it still happened. The bottom line being, a two fold situation. One, an infection of sdbot, causing lockouts... the other we discovered on a sniff of one of the DCs showing ridiculously high # of packets originating from one machine. Finally in the clear for now... Problem is, any script written to enumerate objects w/ a normal or logged-on user account and attempt a dictionary list of passwords is going to cause this same problem. Any of you guys have lockout policies in place... and if so... what steps have you taken to mitigate these lockout storms? Thanks! Marcus
<<attachment: winmail.dat>>
