RE: Account Lockout -- ARGH

• Previous message: Dan Larsen: "scan of domain logon reveals unknown port"
• Maybe in reply to: Grabowski, David: "Account Lockout -- ARGH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Marsha Cipollone <Marsha.Cipollone@stclair.org>, focus-ms@securityfocus.com
Date: Mon, 18 Aug 2003 09:28:39 +0100

I've seen this behaviour with SMS. It turned out to be caused by Crystal
Reports. For some reason, Crystal appears to do some caching with passwords.
It runs the report with the user account and password supplied to it which,
if it fails due to invalid credentials, it just keeps hammering the retry
until the account is locked out.

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company

> -----Original Message-----
> From: Marsha Cipollone [mailto:Marsha.Cipollone@stclair.org]
> Sent: 15 August 2003 18:36
> To: SecurityFocus-MS (E-mail)
> Subject: RE: Account Lockout -- ARGH
>
>
> We ran into this yesterday as well. In our case it was SMS
> 2.0 causing
> the problem. I am still working on the root cause of the
> issue, but it
> appears that if you were a SMS admin, your account was
> repeatedly locked
> throughout the day. Not sure of the significance of the SMS
> admin yet,
> but...it may be another direction to pursue if you are running SMS.
>
> -----Original Message-----
> From: Carrera, Art [mailto:ACARRERA@vha.com]
> Sent: Friday, August 15, 2003 12:34 PM
> To: Grabowski, David; SecurityFocus-MS (E-mail)
> Subject: RE: Account Lockout -- ARGH
>
> I've seen this too. In my case, it turned out to be a "persistent"
> Terminal service connection that had not been closed properly by the
> user. While this connection was "alive", the user correctly
> changed his
> password. Meanwhile, the persistent Terminal Service connection kept
> trying to reuse the "old" password and it locked the account.
>
> hope this helps.
>
> Art Carrera
> security analyst
> VHA, Inc.
>
> -----Original Message-----
> From: Grabowski, David [mailto:david.grabowski@us.mizuho-sc.com]
> Sent: Thursday, August 14, 2003 3:05 PM
> To: SecurityFocus-MS (E-mail)
> Subject: Account Lockout -- ARGH
>
>
> I'm running into some serious problems with users on our
> domain getting
> their accounts locked out repeatedly.
>
> All W2K, SP3.
>
> No services are configured to run as any of these users.
>
> Usually in the morning, when the users log in, they let us know that
> their accounts are locked out. Occasionally problems pop up during the
> day -- i.e., a user closes Outlook and then restarts it at some point
> later. Somehow, his account got locked during that time, so Outlook
> won't start for him.
>
> All security events are logged.
>
> Event logs on the workstations vary; some show a number of 529's
> (unknown username and password) followed by an account lockout. Others
> simply show the lockouts and nothing else. Some show nothing at all.
>
> Event logs on the domain controllers show occasional 677's (service
> ticket request failed - although from what I've read, these
> are normal),
> and frequent 675's (pre-authentication failed).
>
> I've done the requisite research at eventid.net, the MS KB,
> and Google;
> nothing of any significance.
>
> Users are not logged on at more than one workstation. Actually, we
> recently got everyone into the habit of remembering to log off at the
> end of the day. (They learned after we started pushing updates that
> would reboot their machines at night and their open documents wouldn't
> get saved)
>
> Time is synchronized on all machines.
>
> Our Default Domain Controllers Policy enforces: Account
> lockout duration
> (0), Account Lockout Threshold (10 invalid attempts), and
> Reset account
> lockout counter after (60 minutes)
>
> Any ideas?
 

********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.

If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.

Internet communications are not secure and Softlab does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.

If you have received this email in error, or if you are concerned with
the content of this email please notify the IT helpdesk by telephone
on +44 (0)121 788 5480.

********************************************************************

---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------

• Previous message: Dan Larsen: "scan of domain logon reveals unknown port"
• Maybe in reply to: Grabowski, David: "Account Lockout -- ARGH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]