RE: Logon/Logoff Failure Events

From: Robert Wagner (
Date: 04/01/03

  • Next message: Wilson, Aaron J.: "RE: SQL Slammer Variant?"
    From: Robert Wagner <>
    To: "'A. Naveira'" <>,
    Date: Tue, 1 Apr 2003 09:16:28 -0600 

    I am going to suggest a less evil explanation. This may be the reason
    depending on how you use your network.

    We have seen a similar problem when an individual has used their id to log
    into multiple workstations, access terminal server, or sign onto a share
    from an unauthenticated machine. Then the user changes their password on
    their main workstation. Eventually the places where they were authenticated
    using their old password (these seem to automatically reauthenticate when
    they hit the timeout value - Kerberos ticket life - I think), cause them to
    hit the lockout policy. The only method for keeping their ID from
    continually locking out is to find all of the places where they are logged
    in and kick them off. This will keep being a pain every time you hit the
    password expiration date.

    Terminal Services Manager (W2K Server) is a good place to see lost TS

    Another thought is the machine has a Service with a hard-coded Service
    Account ID and Password. - Look for services that cannot start.

    -----Original Message-----
    From: A. Naveira []
    Sent: Monday, March 31, 2003 4:37 PM
    Subject: Logon/Logoff Failure Events

    I recently implemented the account lockout policy on my NT4 PDC (all my
    clients authenticate to this server) and encountered the following events in

    my security event log:

    1.User accounts continue to get locked (Event 539)
    2.Expired password accounts continue trying to log in to the network (Event
    3.Accounts restricted to specific workstations are trying to login to
    unidentified workstations that I can't seem to ID on my network (Event 533)
    4.Bad password attempts on existing accounts from unidentified workstations
    that I can't seem to ID on my network (Event 529)

    These events seem quite unsettling, as I see MULTIPLE failed attempts per
    second (more than humanly possible). Could this be an automated process
    (token authentication) that NT is running to authenticate services, apps, or

    other processes or, as I expect, could it be a script trying to guess user
    passwords? Has anyone encountered this previously in NT4 with benign


    Add photos to your e-mail with MSN 8. Get 2 months FREE*.

    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:

  • Next message: Wilson, Aaron J.: "RE: SQL Slammer Variant?"