RE: Account Lockout -- ARGH

From: Salmon, Daniel J. (Dan.Salmon_at_Norstan.com)
Date: 08/17/03

  • Next message: Scott Zawalski: "Re: Account Lockout -- ARGH" 
    Date: Sun, 17 Aug 2003 12:12:33 -0500
To: "Hillensbeck, Preston" <PHillensbeck@sfbcic.com>, "SecurityFocus-MS (E-mail)" <focus-ms@securityfocus.com>

    Check out this MS tool

    http://support.microsoft.com/default.aspx?scid=kb;en-us;237282

    -----Original Message-----
    From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
    Sent: Friday, August 15, 2003 2:51 PM
    To: SecurityFocus-MS (E-mail)
    Subject: RE: Account Lockout -- ARGH

    Does anyone know of a utility, be it one that I can buy or a freeware
    product that can tell when someone is logged in more than once anywhere
    on
    the network?

    -----Original Message-----
    From: VanMeter, John [mailto:John.VanMeter@ost.dot.gov]
    Sent: Friday, August 15, 2003 12:37 PM
    To: 'Carrera, Art'; Grabowski, David; SecurityFocus-MS (E-mail)
    Subject: RE: Account Lockout -- ARGH

    I had the same problem

    Most were the Terminal Service Connection that Art spoke of. But we all
    had
    some users that were staying logged into multiple workstations for
    months on
    end and that would cause problems when they changed there password, but
    were
    logged in some were else with the old one.

    -----Original Message-----
    From: Carrera, Art [mailto:ACARRERA@vha.com]
    Sent: Friday, August 15, 2003 12:34 PM
    To: Grabowski, David; SecurityFocus-MS (E-mail)
    Subject: RE: Account Lockout -- ARGH

    I've seen this too. In my case, it turned out to be a "persistent"
    Terminal
    service connection that had not been closed properly by the user. While
    this connection was "alive", the user correctly changed his password.
    Meanwhile, the persistent Terminal Service connection kept trying to
    reuse
    the "old" password and it locked the account.

    hope this helps.

    Art Carrera
    security analyst
    VHA, Inc.

    -----Original Message-----
    From: Grabowski, David [mailto:david.grabowski@us.mizuho-sc.com]
    Sent: Thursday, August 14, 2003 3:05 PM
    To: SecurityFocus-MS (E-mail)
    Subject: Account Lockout -- ARGH

    I'm running into some serious problems with users on our domain getting
    their accounts locked out repeatedly.

    All W2K, SP3.

    No services are configured to run as any of these users.

    Usually in the morning, when the users log in, they let us know that
    their
    accounts are locked out. Occasionally problems pop up during the day --
    i.e., a user closes Outlook and then restarts it at some point later.
    Somehow, his account got locked during that time, so Outlook won't start
    for
    him.

    All security events are logged.

    Event logs on the workstations vary; some show a number of 529's
    (unknown
    username and password) followed by an account lockout. Others simply
    show
    the lockouts and nothing else. Some show nothing at all.

    Event logs on the domain controllers show occasional 677's (service
    ticket
    request failed - although from what I've read, these are normal), and
    frequent 675's (pre-authentication failed).

    I've done the requisite research at eventid.net, the MS KB, and Google;
    nothing of any significance.

    Users are not logged on at more than one workstation. Actually, we
    recently
    got everyone into the habit of remembering to log off at the end of the
    day.
    (They learned after we started pushing updates that would reboot their
    machines at night and their open documents wouldn't get saved)

    Time is synchronized on all machines.

    Our Default Domain Controllers Policy enforces: Account lockout duration
    (0), Account Lockout Threshold (10 invalid attempts), and Reset account
    lockout counter after (60 minutes)

    Any ideas?

    ---------------------------------------------------
    David Grabowski
    Mizuho Securities USA, Equity Division
    (212) 209-9349
    ########################################################################
    ####
    #########
    CONFIDENTIAL: This e-mail, including its contents and attachments, if
    any,
    are confidential. It is neither an offer to buy or sell, nor a
    solicitation
    of an offer to buy or sell, any securities or any related financial
    instruments mentioned in it. If you are not the named recipient please
    notify the sender and immediately delete it. You may not disseminate,
    distribute, or forward this e-mail message or disclose its contents to
    anybody else. Unless otherwise indicated, copyright and any other
    intellectual property rights in its contents are the sole property of
    Mizuho
    Securities USA Inc.
         E-mail transmission cannot be guaranteed to be secure or
    error-free.
    The sender therefore does not accept liability for any errors or
    omissions
    in the contents of this message which arise as a result of e-mail
    transmission. If verification is required please request a hard-copy
    version.
         Although we routinely screen for viruses, addressees should check
    this
    e-mail and any attachments for viruses. We make no representation or
    warranty as to the absence of viruses in this e-mail or any attachments.
    Please note that to ensure regulatory compliance and for the protection
    of
    our customers and business, we may monitor and read e-mails sent to and
    from
    our server(s).
    ########################################################################
    ####
    #########

    ------------------------------------------------------------------------ 

    ---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
  • Next message: Scott Zawalski: "Re: Account Lockout -- ARGH"

    Relevant Pages

    • RE: Account Lockout -- ARGH
      ... Subject: Account Lockout -- ARGH ... Most were the Terminal Service Connection that Art spoke of. ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: Account Lockout -- ARGH
      ... Subject: Account Lockout -- ARGH ... Your network firewall and IDS products do not prevent Web application ... defacement, data theft, sabotage and fraud. ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: Account Lockout -- ARGH
      ... Event logs on the workstations vary; some show a number of 529's followed by an account lockout. ... Your network firewall and IDS products do not prevent Web application ... KaVaDo is the only company that provides a complete suite of Web ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)