Re: User accounts are being locked out
From: Glenn L (the.only_at_gmail.com)
Date: 10/23/04
- Next message: Rajeev: "Layered Service Provider installation to Windows 2003 Server."
- Previous message: Glenn L: "Re: 2k3 Trusting NT 4.0"
- In reply to: Ira Schmidt: "Re: User accounts are being locked out"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 23 Oct 2004 01:32:13 -0700
This is totally a virus attempting to guess passwords.
You need to identify these machines and remove them from the network and
clean them.
Finding them isn't always easy.
Some spoof the machine name. Some even spoof the IP address.
I think your best bet is to get network monitor (or your favorite flavor of
packet capture software)on your domain controllers.
Set up a rather large buffer (enough for 12 hours) and start capturing
packets.
The buffer wraps FIFO, so you should not need to worry about missing the
event.
Then when you see a string of events in your event log, you can correlate
those events in the network trace.
Now youve got the IP address. If your lucky the malicious code is not
clever enough for IP spoofing.
This is really the only way to find the offender that I know of.
-- Glenn L CCNA, MCSE 2000, MCSE 2003 + Security "Ira Schmidt" <Ira Schmidt@discussions.microsoft.com> wrote in message news:427B8C80-36F7-4068-9E66-51D61FC7A29B@microsoft.com... > The problem has been going on for the last two and half weeks and has even > happened during the middle of the night when there is no one on the network. > There are about 95 PCs in the network and we have physically disconnected all > network ports that are not in use, and any one who brings in a laptop has to > contact the IT dept. to get a live connection. We suspected a couple of > vendor PCs, but shut those down and the problem still persisted. The lockouts > will occur randomly for several hours and stop for as much as 36 hours. I am > suspecting that a PC somewhere has a trojan that is attempting to log on to > the accounts in order to find a weak password. The lockouts usually occur > with a group of user accounts that are listed alphabetically in User manager. > I have the password policy set to allow seven password attempts before > locking the account. All of our Win2k servers are at SP 4 and the domain > controllers for the NT domain have the security patches that are as recent as > last week. Some of the accounts that are being locked out are owners of > mailboxes that are used internally in the company to store email messages > related to business partners and are never used to actually log on to the > network. > > "Todd J Heron" wrote: > > > The computer name changing randomly looks like it is due to computers > > dropping in and out of the browse list. Could be laptop users. You might > > want to be concerned with who these laptop users are. Travelling Sales > > force? Telecommuters? Students? Think about that for a little it then > > review my "cookbook" recipe for determining the source of the lockout > > problem on multiple accounts. > > > > Lockouts are common when there are replication problems between the PDC and > > BDCs. Open Server Manager > highlight the PDC > click on Computer > > > Synchronize the entire domain > check the system log of the Event Viewer on > > all DCs to determine whether synchronization was successful. > > > > Password Policy and Account Lockout Policy are both domain-wide policies, so > > if only a small number of users are affected, it's unlikely that the policy > > itself is the problem. (For a single user, continous lock-out situation, I > > always suggest that they find all workstations they have logged into > > recently and close Outlook, because it caches the password of the logged in > > account, and if it changes, then the old credentials will be denied and > > cause a domain controller to lock the account out based on bad password > > attempts). Look for a scheduled task or service running using the old > > password. It's also possible that some application or mapped drive is > > caching the old password. This can especially be a problem if users are > > logged into multiple machines. Here's an example scenario: User1 logs into > > machineA and machineB. User1 changes his password on machineA, but fails to > > logout of machineB. MachineB's antivirus software wakes up and attempts to > > download updated signature files located on a network share. MachineB's > > antivirus process cannot connect to the network share since User1's > > credentials on MachineB are now invalid, but continues to attempt to the > > network resource 3 times before giving up, which inadvertently locks out > > User1's account from MachineB. This scenario would be avoided simply by > > logging out of machineB and logging back into machineB once User1 updates > > his password from MachineA. Without knowing your current policy settings > > are, you may want to consider changing them, at least temporarily while > > troubleshooting. For example, increase the number of bad password logon > > attempts to 10 in 30 minutes, and unlock at 30 minutes. And check in all > > event logs on the DC's for any clues, and get the exact error message when > > this happens. If you decide to open an incident for this, this info will > > help the engineer assist you. Also, all Windows 2000 servers and > > workstations should be on Service Pack 3, if not already, because there were > > a number of fixes included in SP3 for lockout issues. > > > > 1) Get all NT 4.0 DC's out of environment as soon as possible if it is a > > mixed environment > > 2) Make sure all Win2k DC's have latest service pack (since many account > > lockout issues areresolved in SP2 , SP3) > > 3) Validate the account lockout policy settings on the Win2k domain > > 4) Is Web Sense installed anywhere on the network? Web Sense sends a logon > > prompt when accessing the web. An option is available to save password for > > this dialog and this is known to cause lock-out issues. > > 5) See: HOW TO: Prevent Network Share Shortcuts from Being Added to My > > Network Places http://support.microsoft.com/?id=242578 > > 6) Check for persistent drive mappings using saved account\password. > > Increased Account Lockout Frequency in Windows 2000 Domain: > > http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b264678 > > 7) Click here for a Account Lockout Status tool which will show the lockout > > status across a domain for a particular user: > > > > L:\Utils\acctlockouttool.zip > > > > Reference: > > Verifying Domain Netlogon Synchronization > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q149664 > > > > Account Lockouts and 5711 Events on the PDC > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q191828 > > > > Using the Checked Netlogon.dll to Track Account Lockouts > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q189541 > > > > -- > > Todd J Heron, MCSE > > Windows 2003/2000/NT > > > > "Ira Schmidt" <Ira Schmidt@discussions.microsoft.com> wrote in message > > news:D3C11A5D-7B22-45BB-A913-E15D53793AD3@microsoft.com... > > > User accounts are being locked out randomly in an NT domain. It appears > > > that > > > they are being locked out from computer names that do not exist on the > > > domain. The computer name changes randomly and has used names like > > > \\palnet > > > or \\acs and the names change every few days. Is there a way to find out > > > where these logon attempts are coming from? I have checked Wins manager > > > and > > > dhcp manager without finding the computer names. I suspect a trojan is > > > installed on one of the computers in the domain. I am migrating users to > > > Acitve Directory and those accounts are not effected. > > > > > >
- Next message: Rajeev: "Layered Service Provider installation to Windows 2003 Server."
- Previous message: Glenn L: "Re: 2k3 Trusting NT 4.0"
- In reply to: Ira Schmidt: "Re: User accounts are being locked out"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
