I have Kiwi Syslogger setup to email me every failed attempt to authenticate through the VPN. It went from 2 or 3 a day from lusers to 2500 to 5000 a day and all accounts I don't have in AD and all originating from the VPN tunnel. So disabling the tunnel didn't work, had to remove the reference to the tunnel entirely. Now we are back to 2 or 3 a day.
From: Bob Fronk Sent: Thursday, February 18, 2010 9:25 AM To: NT System Admin Issues Subject: RE: CISCO VPN Client How did you discover this was happening? From: David W. McSpadden [mailto:[email protected]] Sent: Wednesday, February 17, 2010 1:30 PM To: NT System Admin Issues Subject: Re: CISCO VPN Client Ok. I am looking at that area under Remote VPN in Configuration and someone has my VPN Client info and they are trying a Brute Force Vocab attack to my AD's. So I have moved all my users to AnyConnect and I am ready to remove the VPN Client from the ASA or disable it... From: Jon Harris Sent: Wednesday, February 17, 2010 1:24 PM To: NT System Admin Issues Subject: Re: CISCO VPN Client Why are you getting rid of the VPN client? You don't remove it you disable it on the ASA. Just make sure all the rules are correct for the ASA first. Jon On Wed, Feb 17, 2010 at 1:13 PM, David W. McSpadden <[email protected]> wrote: Actually on the ASA. I think I have it found now but I am still testing. From: Jon Harris Sent: Wednesday, February 17, 2010 12:10 PM To: NT System Admin Issues Subject: Re: CISCO VPN Client Remove it is the best, they install into the same root directory under Program Files but have separate directories under that. They are separate programs as Microsoft sees them. Jon On Wed, Feb 17, 2010 at 8:07 AM, David W. McSpadden <[email protected]> wrote: Anyone point me on how to Disable the old CISCO VPN Client and leave the AnyConnect still enabled? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
