Re: Account Lockout -- ARGH
From: Scott Zawalski (scott.zawalski_at_web.de)
Date: 08/16/03
- Previous message: Salmon, Daniel J.: "RE: Account Lockout -- ARGH"
- In reply to: Grabowski, David: "Account Lockout -- ARGH"
- Next in thread: Jannie Hanekom: "RE: Account Lockout -- ARGH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Aug 2003 11:29:26 +0200 To: "Grabowski, David" <david.grabowski@us.mizuho-sc.com>
Grabowski, David wrote:
>I'm running into some serious problems with users on our domain getting their accounts locked out repeatedly.
>
>All W2K, SP3.
>
>No services are configured to run as any of these users.
>
>Usually in the morning, when the users log in, they let us know that their accounts are locked out. Occasionally problems pop up during the day -- i.e., a user closes Outlook and then restarts it at some point later. Somehow, his account got locked during that time, so Outlook won't start for him.
>
>All security events are logged.
>
>Event logs on the workstations vary; some show a number of 529's (unknown username and password) followed by an account lockout. Others simply show the lockouts and nothing else. Some show nothing at all.
>
>Event logs on the domain controllers show occasional 677's (service ticket request failed - although from what I've read, these are normal), and frequent 675's (pre-authentication failed).
>
>I've done the requisite research at eventid.net, the MS KB, and Google; nothing of any significance.
>
>Users are not logged on at more than one workstation. Actually, we recently got everyone into the habit of remembering to log off at the end of the day. (They learned after we started pushing updates that would reboot their machines at night and their open documents wouldn't get saved)
>
>Time is synchronized on all machines.
>
>Our Default Domain Controllers Policy enforces: Account lockout duration (0), Account Lockout Threshold (10 invalid attempts), and Reset account lockout counter after (60 minutes)
>
>Any ideas?
>
>---------------------------------------------------
>David Grabowski
>Mizuho Securities USA, Equity Division
>(212) 209-9349
>#####################################################################################
>CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc.
> E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
> Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s).
>#####################################################################################
>
>---------------------------------------------------------------------------
>Your network firewall and IDS products do not prevent Web application
>attacks - the most common form of online exploitation- resulting in Web
>defacement, data theft, sabotage and fraud.
>KaVaDo is the only company that provides a complete suite of Web
>application security products.
>Download a FREE whitepaper on "Security Policy Automation for Web
>Applications":http://www.securityfocus.com/Kavado-focus-ms
>---------------------------------------------------------------------------
>
>
>
>
We have also run in to this problem many times. We found it to not only
be Terminal Services/ICA Client Metaframe sessions, but also mapping
with persistent on, which is either set through the command-line or when
mapping a drive through explorer and setting reconnect drive on login
(which most people do) Our solution to this was to allow people to
create a personal.bat file in their network shared home drive which then
our login scripts would look for and call. In this personal.bat they
would have a net use command to map their drives and set persistants to
no. This dramatically reduced the amount of locked out users we were
receiving.
Good luck,
Scott
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Previous message: Salmon, Daniel J.: "RE: Account Lockout -- ARGH"
- In reply to: Grabowski, David: "Account Lockout -- ARGH"
- Next in thread: Jannie Hanekom: "RE: Account Lockout -- ARGH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
