RE: Password disappears

Hello Steve,

Thank you for posting here.

According to your description, I understand that your SBS domain user
account password will be reset to empty automatic. If I have misunderstood
the problem, please don't hesitate to let me know.

Based on my research, this is mostly like the attack behavior. Maybe the
SBS infected by Trojan horse. The Trojan horse will monitor your server's
keyboard input, and get the password when you change it. Or the Hacker
guesses your password by some hacker tools and gets it. I suggest we try
the following steps to see if we can resolve this issue:

1. Please try to install the antivirus on all client computers and SBS,
update the virus definition to latest and perform full virus scan on the
computers. If you do not have anti-virus application installed, you may try:
http://housecall.trendmicro.com/.

2. Enable complicated password policy on SBS.

Note: The Password Policy need to be configured in Default Domain policy.

We can configure the settings under:

Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

3. Configure account lockout policy.

Generally, it is a best practices suggestion to set the Threshold value to
10 or higher. This is high enough to rule out user error and low enough to
deter hackers, especially when the password complexity policy is enabled.

For medium security requirement, the recommended configurations are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10

For high security requirement, the recommendations are:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

For more information, please refer to:

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

4. Check your firewall to ensure that only the necessary ports are opened.

5. Please install a new Windows XP client, install antivirus on it, update
the virus definition to latest and perform full virus scan. Then join the
XP to SBS domain, logon the XP with Domain Administrator account. Click
Ctrl+Alt+Delete, click Change Password button, then change the Domain
Administrator password (do not tell any baby the new password and do not
write down the new password at any place). Monitoring for several days,
does the password reset again?

6. If the password reset again, we have to enable the auditing to monitor
who change the password.

a. Open ADUC (Active Directory Users and Computers) on SBS

b. Click View menu->Advanced Features

c. Locate on the Administrator account, double click it

d. Click Security tab, click Advanced button

e. Click Auditing tab, double click the Auditing entries which Apply To is
This object only and Name is Everyone.

f. On the Object tab, tick all Successful and Failed options

g. Click OK several times to finish

h. If the administrator's password changed, you will find event log 628 and
642 in SBS Security log. The log will tell you who change the password.

If we can not resolve the issue after we perform the above steps, please
kindly help me collect some information for further investigation:

Use the MPS report to capture the server configurations for further
analysis:
a. Download MPSrepot_network from
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE

b. Run MPSRPT_NETWORK.exe on the server box.

c. The tool will automatically collect the information. This procedure will
take 10~15 minutes.

d. Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\

e. Send the .cab file directly to me at v-terliu@xxxxxxxxxxxxx

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Password disappears
| thread-index: Aceu0pHQPDQJuJeFRmi09zfh8CTEng==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?U3RldmUgTG91aWU=?= <SteveLouie@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Password disappears
| Date: Thu, 14 Jun 2007 15:23:01 -0700
| Lines: 21
| Message-ID: <FECE7856-A32D-4BAC-844F-6793BD5CE0E0@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:44093
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi,
| a while back, one of the user's password was reset automatically in our
| Win2K3 SBS Basic network. She comes in and her old password cannot log
her
| computer onto the domain. However; she was able to login with just the
user
| name and no password. That happened a few times but it when away.
|
| Three weeks ago, I reset the server administrator password. last week, I
| attempted to logon to the server with the admin user name and password
but I
| can't loggon. I was able to logon via a different admin user and reset
the
| password. but then again, this week, it happened and I cannot logon with
the
| new password but i can without a password. i viewed the server logons and
| security logs but cannot find anything. There isn't a password
expiration or
| reset policy setup on the network. it could be a hacker but i don't
believe
| so and no one in the office knows the password except for me and one
other
| person and she didn't reset it.
|
| what should i been looking into to see what is going on and why it is
| happening so I can stop it from happening again.
|
| Thanks,
| Steve
|

.