Hello,
I've just joined the site because I have a problem that I can't figure out or I'm stuck. I'm also not sure if I should post this here or in the general security part.
We have a domain with a user who randomly locks out every couple weeks or so. When it locks out it, it keeps locking out for an hour or so and she has to call helpdesk a couple times to have her account unlocked. We are a school and unfortunately our Network is wide open. If I need to close something, I need to do it on her computer. At first I thought it was something running on her computer that was causing the problem, but after checking through everything, couldn't find anything cached, etc.
At that time the security log wasn't big enough and by the time I got to her computer it was overwritten for the time when the account locked. Now, I finally got the security log and see that the source network address is not from our network. I traced it to china. It's always the same 2 ip addresses that try. They use different source ports. In the system at the same time, terminal services is saying that a remote session from client name a exceeded maximum allowed failed logon attempts. I've attached the system and a couple security logs. Always the same IP, but the source port does change.
On her firewall, I added a local rule for port 3389 to only our network. The rule from gpo just opens that right up. I know, I know, it shouldn't be that way, but I have no power to change that.
So, I have a couple questions:
Does my local rule I created in the firewall merge with the rule from the GPO? I didn't see any rules about merging the changes together when I looked at the GPO (which I don't have editing rights to).
Can I somehow see where the attacker is trying to break in, using what services?
How can I secure this pc so that these attacks stop locking her account. IE do something on the computer's firewall to prevent it getting so far as being able to use this person's username and password?
Thank you for reading this post and for any help.
I've just joined the site because I have a problem that I can't figure out or I'm stuck. I'm also not sure if I should post this here or in the general security part.
We have a domain with a user who randomly locks out every couple weeks or so. When it locks out it, it keeps locking out for an hour or so and she has to call helpdesk a couple times to have her account unlocked. We are a school and unfortunately our Network is wide open. If I need to close something, I need to do it on her computer. At first I thought it was something running on her computer that was causing the problem, but after checking through everything, couldn't find anything cached, etc.
At that time the security log wasn't big enough and by the time I got to her computer it was overwritten for the time when the account locked. Now, I finally got the security log and see that the source network address is not from our network. I traced it to china. It's always the same 2 ip addresses that try. They use different source ports. In the system at the same time, terminal services is saying that a remote session from client name a exceeded maximum allowed failed logon attempts. I've attached the system and a couple security logs. Always the same IP, but the source port does change.
On her firewall, I added a local rule for port 3389 to only our network. The rule from gpo just opens that right up. I know, I know, it shouldn't be that way, but I have no power to change that.
So, I have a couple questions:
Does my local rule I created in the firewall merge with the rule from the GPO? I didn't see any rules about merging the changes together when I looked at the GPO (which I don't have editing rights to).
Can I somehow see where the attacker is trying to break in, using what services?
How can I secure this pc so that these attacks stop locking her account. IE do something on the computer's firewall to prevent it getting so far as being able to use this person's username and password?
Thank you for reading this post and for any help.