Laura, I would suggest you look at the following security policy options to determine if they are being applied to your infrastructure.
A couple of notes about this statement.... These settings are typically are not likely being configured via GPO, so you will have to look at the local computer policy on each of the domain controllers to determine the configuration. W2K and W2K3 and have different defaults for some of these settings so that may be the difference you are seeing. Of course be sure that these are appropriate (won't break anything) for your environment before making any modifications. For example, enabling the first setting (below) may break the functionality of trust relationships with any NT4 domains. Network access: Allow anonymous SID/Name translation (should be disabled) Network access: Do not allow anonymous enumeration of SAM accounts (should be enabled) Network access: Do not allow anonymous enumeration of SAM accounts and shares (should be enabled) Network access: Let Everyone permissions apply to anonymous users (should be disabled) Network access: Restrict anonymous access to Named Pipes and Shares (should be enabled) As for why you are seeing the 529s on the 2000 DCs and not the 2003 DCs, aside from the above, it is possible that the attackers got a list of the 2000 DCs (via DNS) before you introduced the W2K3 server and therefore are not aware that it exists. It is also possible that the SAM enumeration that occurred, giving the attacker his/her list of usernames, was not done from the outside. Possibly a trojan (or something else) on the inside? Regards, Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, October 07, 2004 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows Server 2003 Security Weirdness Network trace to find the culprit. Sounds like a scheduled task, doesn't it? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, October 07, 2004 3:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows Server 2003 Security Weirdness Awww....fudge. It figures as soon as I post "Sure, everything's fine", I start getting hammered again. *sigh* Any other ideas while I go dig through nslookup on my DNS servers? - Laura List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
