I am going to suggest a less evil explanation. This may be the reason depending on how you use your network. We have seen a similar problem when an individual has used their id to log into multiple workstations, access terminal server, or sign onto a share from an unauthenticated machine. Then the user changes their password on their main workstation. Eventually the places where they were authenticated using their old password (these seem to automatically reauthenticate when they hit the timeout value - Kerberos ticket life - I think), cause them to hit the lockout policy. The only method for keeping their ID from continually locking out is to find all of the places where they are logged in and kick them off. This will keep being a pain every time you hit the password expiration date. Terminal Services Manager (W2K Server) is a good place to see lost TS connections. Another thought is the machine has a Service with a hard-coded Service Account ID and Password. - Look for services that cannot start. -----Original Message----- From: A. Naveira [mailto:anaveiraat_private] Sent: Monday, March 31, 2003 4:37 PM To: incidentsat_private Cc: intrusionsat_private Subject: Logon/Logoff Failure Events I recently implemented the account lockout policy on my NT4 PDC (all my clients authenticate to this server) and encountered the following events in my security event log: 1.User accounts continue to get locked (Event 539) 2.Expired password accounts continue trying to log in to the network (Event 535) 3.Accounts restricted to specific workstations are trying to login to unidentified workstations that I can't seem to ID on my network (Event 533) AND 4.Bad password attempts on existing accounts from unidentified workstations that I can't seem to ID on my network (Event 529) These events seem quite unsettling, as I see MULTIPLE failed attempts per second (more than humanly possible). Could this be an automated process (token authentication) that NT is running to authenticate services, apps, or other processes or, as I expect, could it be a script trying to guess user passwords? Has anyone encountered this previously in NT4 with benign sources? Ana _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 19:36:07 PST