RE: Logon/Logoff Failure Events
From: Robert Wagner (firstname.lastname@example.org)
From: Robert Wagner <email@example.com> To: "'A. Naveira'" <firstname.lastname@example.org>, email@example.com Date: Tue, 1 Apr 2003 09:16:28 -0600
I am going to suggest a less evil explanation. This may be the reason
depending on how you use your network.
We have seen a similar problem when an individual has used their id to log
into multiple workstations, access terminal server, or sign onto a share
from an unauthenticated machine. Then the user changes their password on
their main workstation. Eventually the places where they were authenticated
using their old password (these seem to automatically reauthenticate when
they hit the timeout value - Kerberos ticket life - I think), cause them to
hit the lockout policy. The only method for keeping their ID from
continually locking out is to find all of the places where they are logged
in and kick them off. This will keep being a pain every time you hit the
password expiration date.
Terminal Services Manager (W2K Server) is a good place to see lost TS
Another thought is the machine has a Service with a hard-coded Service
Account ID and Password. - Look for services that cannot start.
From: A. Naveira [mailto:firstname.lastname@example.org]
Sent: Monday, March 31, 2003 4:37 PM
Subject: Logon/Logoff Failure Events
I recently implemented the account lockout policy on my NT4 PDC (all my
clients authenticate to this server) and encountered the following events in
my security event log:
1.User accounts continue to get locked (Event 539)
2.Expired password accounts continue trying to log in to the network (Event
3.Accounts restricted to specific workstations are trying to login to
unidentified workstations that I can't seem to ID on my network (Event 533)
4.Bad password attempts on existing accounts from unidentified workstations
that I can't seem to ID on my network (Event 529)
These events seem quite unsettling, as I see MULTIPLE failed attempts per
second (more than humanly possible). Could this be an automated process
(token authentication) that NT is running to authenticate services, apps, or
other processes or, as I expect, could it be a script trying to guess user
passwords? Has anyone encountered this previously in NT4 with benign
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial: