RE: Account Lockout -- ARGH

From: Holmes, Tyran (tholmes_at_ascendone.com)
Date: 08/15/03

Next message: Chris Gianelloni: "RE: New variant. Blast.b"

Previous message: LordInfidel: "MS03-029 ?-Download link"
Maybe in reply to: Grabowski, David: "Account Lockout -- ARGH"
Next in thread: Hillensbeck, Preston: "RE: Account Lockout -- ARGH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 15 Aug 2003 13:31:52 -0400
To: "Carrera, Art" <ACARRERA@vha.com>, "Grabowski, David" <david.grabowski@us.mizuho-sc.com>, "SecurityFocus-MS (E-mail)" <focus-ms@securityfocus.com>

I've had the same problem in the past. If it is indeed the TS
connection, you can use Terminal Services Manager to track it down and
kill the session.

Hope that helps.

-----Original Message-----
From: Carrera, Art [mailto:ACARRERA@vha.com]
Sent: Friday, August 15, 2003 12:34 PM
To: Grabowski, David; SecurityFocus-MS (E-mail)
Subject: RE: Account Lockout -- ARGH

I've seen this too. In my case, it turned out to be a "persistent"
Terminal service connection that had not been closed properly by the
user. While this connection was "alive", the user correctly changed his
password. Meanwhile, the persistent Terminal Service connection kept
trying to reuse the "old" password and it locked the account.

hope this helps.

Art Carrera
security analyst
VHA, Inc.

-----Original Message-----
From: Grabowski, David [mailto:david.grabowski@us.mizuho-sc.com]
Sent: Thursday, August 14, 2003 3:05 PM
To: SecurityFocus-MS (E-mail)
Subject: Account Lockout -- ARGH

I'm running into some serious problems with users on our domain getting
their accounts locked out repeatedly.

All W2K, SP3.

No services are configured to run as any of these users.

Usually in the morning, when the users log in, they let us know that
their accounts are locked out. Occasionally problems pop up during the
day -- i.e., a user closes Outlook and then restarts it at some point
later. Somehow, his account got locked during that time, so Outlook
won't start for him.

All security events are logged.

Event logs on the workstations vary; some show a number of 529's
(unknown username and password) followed by an account lockout. Others
simply show the lockouts and nothing else. Some show nothing at all.

Event logs on the domain controllers show occasional 677's (service
ticket request failed - although from what I've read, these are normal),
and frequent 675's (pre-authentication failed).

I've done the requisite research at eventid.net, the MS KB, and Google;
nothing of any significance.

Users are not logged on at more than one workstation. Actually, we
recently got everyone into the habit of remembering to log off at the
end of the day. (They learned after we started pushing updates that
would reboot their machines at night and their open documents wouldn't
get saved)

Time is synchronized on all machines.

Our Default Domain Controllers Policy enforces: Account lockout duration
(0), Account Lockout Threshold (10 invalid attempts), and Reset account
lockout counter after (60 minutes)

Any ideas?

---------------------------------------------------
David Grabowski
Mizuho Securities USA, Equity Division
(212) 209-9349
########################################################################
#############
CONFIDENTIAL: This e-mail, including its contents and attachments, if
any, are confidential. It is neither an offer to buy or sell, nor a
solicitation of an offer to buy or sell, any securities or any related
financial instruments mentioned in it. If you are not the named
recipient please notify the sender and immediately delete it. You may
not disseminate, distribute, or forward this e-mail message or disclose
its contents to anybody else. Unless otherwise indicated, copyright and
any other intellectual property rights in its contents are the sole
property of Mizuho Securities USA Inc.
E-mail transmission cannot be guaranteed to be secure or
error-free. The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a
result of e-mail transmission. If verification is required please
request a hard-copy version.
Although we routinely screen for viruses, addressees should check
this e-mail and any attachments for viruses. We make no representation
or warranty as to the absence of viruses in this e-mail or any
attachments. Please note that to ensure regulatory compliance and for
the protection of our customers and business, we may monitor and read
e-mails sent to and from our server(s).
########################################################################
#############

------------------------------------------------------------------------

---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------

Next message: Chris Gianelloni: "RE: New variant. Blast.b"

Previous message: LordInfidel: "MS03-029 ?-Download link"
Maybe in reply to: Grabowski, David: "Account Lockout -- ARGH"
Next in thread: Hillensbeck, Preston: "RE: Account Lockout -- ARGH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Account Lockout -- ARGH
... Most were the Terminal Service Connection that Art spoke of. ... Subject: Account Lockout -- ARGH ... All security events are logged. ... Your network firewall and IDS products do not prevent Web application ...
(Focus-Microsoft)
RE: Critical Errors in Security Log, Logon Failures
... Step1: Implement Strong password policies. ... Step 2: Configure account lockout policy. ... Windows Settings, double-click Security Settings, double-click Account ... and then click Account Lockout Policy. ...
(microsoft.public.windows.server.sbs)
RE: Critical Errors in Security Log, Logon Failures
... Security Event 529 is logged for local user accounts ... Microsoft CSS Online Newsgroup Support ... Step 2: Configure account lockout policy. ... and then click Account Lockout Policy. ...
(microsoft.public.windows.server.sbs)
RE: Critical Errors in Security Log, Logon Failures
... I know that you get "Critical Errors in Security ... Step 2: Configure account lockout policy. ... and then click Account Lockout Policy. ... Use an anti-virus with updated signatures and scan you SBS Server ...
(microsoft.public.windows.server.sbs)