Preventing Unauthorized Users from logging in.

We are using a local server running NT 4.0 which is attached to a corporate data center. There are similar remote servers at other locations. There are isolated cases, where a user at one of these other locations signs on through the data center but is assigned our server along with their own.

In these cases, our system slows down to a crawl and in some cases our application programs, which reside on our local server freeze up. The only way we can recover, is to go to the server and disconnect the intruder.

Is there a way that we can filter these users and either prevent them from logging on to our system or at least disconnect them immediately once they are detected by NT as being logged in?

 

If they were truly "unauthorized" they probably wouldn't be connecting. So maybe a wrong setting somewhere.

Need some detail though about the way your network is structured. And these answers will lead to more questions but hopefully not too many.

- Domain(s)? If yes, is the server in question a domain controller?
- Subnetted (with routers and such to connect the subnets)? If yes, are the problem users on a different subnet?
- WINS?
- DHCP?

 

Answers to questions re: unauthorized logons.

In answer to your questions:
Yes. We are a domain server.
Yes. We are subnetted and the problem users are on a different subnet.
Our server is on NT 4.0 and our clients are using WIN98.
We are using DHCP.

One additional note: I notice that the event log shows a logon for a corporate administrator every hour day and night for just a few minutes before logoff. If they are using a canned monitoring system, could this be allowing the other users a threshold in which to inadvertantly sign on through our domain? The unauthorized sign-ons seem to take place about every hour also.

 

Can you associate a username with the intruder? The timing does seem suspicious but I'd be more inclined to suspect the corp. admin folk are connecting something rather than a sneak thru.

Possible they could have some sort of sniffer connecting and it isn't configured properly so disrupts your network. Or possibly a problem with a router choking on the traffic.

Have you asked those folks what exactly they are doing - after explaining the bad effects on your system?

And as a general "good practice ", if you have any spare resources it would be best to migrate all apps off the domain controller. Or if it happens to be a power box with plenty of resources, to set up a minimum PC as your domain controller. They really don't have to work very hard and hardware that isn't up to anything demanding can do the job nicely.

 

Yes. One intruder is quite innocent. She is only trying to sign on to her own domain. Corporate IT tells me that she probably was using her browser and found us one day, when she was signing on. Once this route was established, windows uses it each time the user signs on.

The other intruder uses a non-standard user ID, which I cannot identify. IT tells me that they do not know, who it is and that I shouldn't worry. This leads me to believe that this is a result of a mis-configured "sniffer ".

This is why I would like to find a way to "auto-disconnect" anyone, who is not in our user group. Can this be done within NT?
Migrating all apps to another box has a lot of merit. Thanks for the suggestion.

 

ron - the only thing I could think of would be to structure things so that you were a seperate domain and then establish the trust relationships so that you were trusted by the main domain (so your user accounts would work fine there) but did not trust them so theirs couldn't get to your domain.

And that isn't really an "auto-disconnect ".

Afraid I'm otherwise out of ideas. Been hoping Bursley would take a pass thru and comment here since he is much more up on the esoteric stuff than I am. There may well be something but if so, nothing I've ever run across.

 

Newt,

We probably will do this with the new box that we offload all the apps to. Ironically, this was the setup we had before becoming part of the corporate infrastructure.
In order to join the club, we had to give up the luxury of being a stand-alone "true" server and became just a node (slave?) to the corporate server. As such we have to adhere to their trust relationship, which allows them to look and feel as they wish, but prevents us from setting our own trust relationships.

Corporate policy prevents me from even buying and installing my own firewall, without their permission. However, it says nothing about me writing my own visual basic routine to identify non-authorized users and disconnect them. All I need is a hook in NT to grab. Has anyone done this? If I can do this, it is no different than actually going onto our server every time it slows down and disconnecting the culprits manually. (Except, I am not wasting my time anymore.)

Thanks again for all your help.