Domain Controllers Experiencing Heavy Network Load From Almost All Machines In the Domain
We are experiencing frequent and high-bandwidth connections from almost every machine in our environment with no recognizable pattern.
We transferred ~110GB to/from our main domain controllers(10.223.3.35 and 10.223.3.14) over the past 24hours over port 445
We recently made the following changes in our environment: (however these changes were made about 7 days after the network issues first occurred)
Digitally encrypt or sign secure channel data (always) – Enabled
Digitally encrypt secure channel data (when possible) – Enabled
Digitally sign secure channel data (when possible) – Enabled
Disable machine account password changes – DISABLED
Maximum machine account password age – 30
Require strong (Windows 2000 or later) session key – Enabled
Send unencrypted password to connect to third-party SMB servers – DISABLED
Allow anonymous SID/name translation – DISABLED
Do not allow anonymous enumeration of SAM accounts – Enabled
Do not allow anonymous enumeration of SAM accounts and shares – Enabled
Restrict anonymous access to Named Pipes and Shares – Enabled
Allow LocalSystem NULL session fallback – Disabled
Do not store LAN Manager hash value on next password change – Enabled
LAN Manager authentication level - Send NTLMv2 response only\refuse LM & NTLM
LDAP client signing requirements - Negotiate Signing
Minimum session security for NTLM SSP based (including secure RPC) clients - Require NTLMv2 session security, Require 128bit encryption
Minimum session security for NTLM SSP based (including secure RPC) servers - Require NTLMv2 session security, Require 128bit encryption
Snort is coming back with this type of log frequently: 07/01-20:01:41.953634 [] [1:3276:2] NETBIOS DCERPC IActivation little endian bind attempt [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} redactedIP:55424 -> 10.223.3.35:135
Event viewer seems to be logging an obscene number of security events but none of them seem to stand out. Disk utilization in resource monitor can sit around 100MB/s and network is sometimes uploading 150mbps or higher for seemingly no good reason. There is no identifiable, intentional major data transfer from any of the problematic machines.
Any insight that anyone can provide is much appreciated!
TCP 445 is SMB, i.e. Windows file sharing.
You should monitor the SMB activity on your DCs; you can do that graphically from the Computer Management MMC or via PowerShell using the various Get-SmbXYX
commands in SmbShare.
This could be a virus spreading through network shares; however, this is just a random guess and it could really be anything else.