I have a windows 2003 domain controller that has port 135 - 139 open on the internet. Not my choice, and unfortunatly we cannot close those ports off. We are working through a project to close them off, but we cannot just flip the switch as of this moment.

My main problem is that somehow people are enumerating Valid Domain User accounts from this DC. I have ensured that RestrictAnonomous is set to 2, however when I hit it with Cain I am able to enumerate AD Groups, but not enumerate AD Users by either the SID Scanner or any other way.

Yet still somehow people are getting the users because I keep getting people trying to run password crackers against my DC with valid accounts. Doesn't cause much of a problem except a HUGE headache for locked accounts. I have an alert stup to email me whenever the event logs start to fill with these so I can just block the ip on my firewall.. However when they do this overnight and I walk into 9900 attempts(emails) the phones have already started ringing with lots and lots and lots of locked accounts.

Any ideas would be great. Thanks.