Re: Username Vulnerability???

---

• From: "Todd J Heron" <todd_heron_no_spam@xxxxxxxxxxx>
• Date: Mon, 12 Sep 2005 09:07:40 -0400

---

This is my "cookbook" recipe for determining the source of the lockout
problem on multiple accounts.

In the NT 4.0 days, lockouts were common when there were replication
problems between the PDC and BDCs. Open Server Manager > highlight the PDC
> click on Computer > Synchronize the entire domain > check the system log
of the Event Viewer on all DCs to determine whether synchronization was
successful. Those were the NT 4 days though....

In Active Directory, Password Policy and Account Lockout Policy are both
domain-wide policies, so if only a small number of users are affected, it's
unlikely that the policy itself is the problem. Without knowing your
current policy settings are, you may want to consider changing them, at
least temporarily while troubleshooting. For example, increase the number
of bad password logon attempts to 10 in 30 minutes, and unlock at 30
minutes. And check in all event logs on the DC's for any clues, and get the
exact error message when this happens. Also, if running Windows 2000, all
servers and workstations should be on Service Pack 3, if not already,
because there were a number of fixes included in SP3 for lockout issues.

1) Get all NT 4.0 DC’s out of environment as soon as possible if it is a
mixed environment
2) Make sure all Win2k or K3 DC’s have latest service pack (since many
account lockout issues areresolved in SP2 , SP3)
3) Validate the account lockout policy settings on the Win2k domain
4) Is Web Sense installed anywhere on the network? Web Sense sends a logon
prompt when accessing the web. An option is available to save password for
this dialog and this is known to cause lock-out issues.
5) See: HOW TO: Prevent Network Share Shortcuts from Being Added to My
Network Places http://support.microsoft.com/?id=242578
6) Check for persistent drive mappings using saved account\password.
Increased Account Lockout Frequency in Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b264678
7) Click here for a Account Lockout Status tool which will show the lockout
status across a domain for a particular user:

Reference:
Verifying Domain Netlogon Synchronization
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q149664

Account Lockouts and 5711 Events on the PDC
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q191828

Using the Checked Netlogon.dll to Track Account Lockouts
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q189541

The following discusses general account lockout policy, troubleshooting and
tools:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

The tools can be downloaded from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"GXIGROUP" <GXIGROUP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A791187E-A1BD-4425-8C36-1983D1B8FA1B@xxxxxxxxxxxxxxxx
One thing is to do change all user accounts passwords and you only have
access and the users to thos accounts. Seems like someone knows your
administrator account password

"MJG" wrote:

> We have recently experienced massive account lockouts . The event logs
> reveal repeated login failures with most of our accounts. These attempts
> are
> coming from external addresses and are obviously unauthorized. I know
> that
> in NT 4.0 there was a vulnerability that allowed hackers with freely
> available tools to expose your usernames and use a brute force or
> dictionay
> attack to attempt to log in. Is there a similar vulnerability in Server
> 2003? This appears to be what is happening. The DC in question is
> running
> Server 2003 w/SP2 and is complettely current with all patches and fixes.
> Somone obviously has a list of our usernames and is using them to try and
> log
> in. I will pursue that with the ISP in question, but where is this hole,
> and
> how do I plug it???
>

.

---

• Follow-Ups:
  • Re: Username Vulnerability???
    • From: MJG

• References:
  • Username Vulnerability???
    • From: MJG
  • RE: Username Vulnerability???
    • From: GXIGROUP

• Prev by Date: RE: Username Vulnerability???
• Next by Date: Re: Username Vulnerability???
• Previous by thread: RE: Username Vulnerability???
• Next by thread: Re: Username Vulnerability???
• Index(es):
  • Date
  • Thread

---

Relevant Pages account lockout issues... ... I have a couple of question regarding the account lockout policy. ... I had originally set a local policy on our Win2K terminal server such ... (microsoft.public.backoffice.smallbiz2000) Re: How to allow a user to unlock user accts from XP box? ... I have lockout set to 10 and I've never had a user get locked out from ... don't have lockout automatically unlock because I want to know what locked ... AFAIK there's no way to unlock an account other than in AD, ... alternative to letting someone log in at the server is RDP. ... (microsoft.public.windows.server.sbs) Re: Windows server account always gets locked - repost ... Password Policy and Account Lockout Policy are both ... See: HOW TO: Prevent Network Share Shortcuts from Being Added to My ... (microsoft.public.windows.server.general) Re: OU group policy and how to use ldapsearch to find GPO settings ... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ... (microsoft.public.windows.group_policy) Re: Replication of password resets/unlocks ... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.general  > 2005-09