Block clients from accessing domain controllers

[Rob McShinsky]

I am looking for a quick and dirty way to block identified clients both
inside and outside the domain from making logon attempts to the domain
controller. We have had some internal problems with variant of the Gaobot
virus which try feverishly to use its list of username and passwords against
the domain controller. We have seen upwards of 200000 failed logon attempts
in 15 minutes. This is causing a type of denial of service situation where
the domain controllers at out main site are getting loaded so much that
logon requests are being sent to DC's at different AD sites across slower
links. Any thoughts would be helpful.

Rob McShinsky

 

[Steve Parry]

I am looking for a quick and dirty way to block identified clients both
inside and outside the domain from making logon attempts to the domain
controller. We have had some internal problems with variant of the Gaobot
virus which try feverishly to use its list of username and passwords against
the domain controller. We have seen upwards of 200000 failed logon attempts
in 15 minutes. This is causing a type of denial of service situation where
the domain controllers at out main site are getting loaded so much that
logon requests are being sent to DC's at different AD sites across slower
links. Any thoughts would be helpful.

Rob McShinsky

If you've identified the clients can you not just pull their network cable
and fix them or have I missed something?

 

[Rob McShinsky]

Yes there is something missing. We have 6000 desktops/laptops and our team
does not manage the network or at times are not the admins for the machines.
The time it takes to disconnect a port at a remote site while there are 30
or 40 other machines hammering away is often too long. I want to be able to
stop the machine in the interum.

 

[Steve Parry]

Yes there is something missing. We have 6000 desktops/laptops and our team
does not manage the network or at times are not the admins for the machines.
The time it takes to disconnect a port at a remote site while there are 30
or 40 other machines hammering away is often too long. I want to be able to
stop the machine in the interum.

Would it be possible to remove the machine account from the domain/directory
until the machine is fixed?

 

[Rob McShinsky]

Unfortuantely with this latest virus it is domain independent. As soon as
it finds a source, it looks to hammer away. It is purely a network attack.

 

[Steven L Umbach]

I don't know of a way to block users but you could use ipsec filtering to block
computers based on IP addresses/subnets kind of like a firewall. You could start with
a mirrored block all IP rule and then add the allowed IP addresses/subnets or try a
rule with a filter set with blocked IP addresses/subnets. You would do this on the
Local Security Policy of the domain controller. Another way would be to segment
computers into OU's and apply a policy to them at that OU level that would block
access to specific domain controllers based on their IP addresses. Any ipsec policy
assigned via Local Security Policy takes effect almost immediately, but any policy
applied at an OU level would require a reboot for the machine or a policy refresh
either scheduled or via secedit refresh command. See the link below for more help on
ipsec filtering. --- Steve

http://www.securityfocus.com/infocus/1559