RE: Logon/Logoff Failure Events

From: Robert Wagner (rwagner@eruces.com)
Date: 04/01/03

  • Next message: Wilson, Aaron J.: "RE: SQL Slammer Variant?"
    From: Robert Wagner <rwagner@eruces.com>
    To: "'A. Naveira'" <anaveira@hotmail.com>, incidents@securityfocus.com
    Date: Tue, 1 Apr 2003 09:16:28 -0600 
    
    

    I am going to suggest a less evil explanation. This may be the reason
    depending on how you use your network.

    We have seen a similar problem when an individual has used their id to log
    into multiple workstations, access terminal server, or sign onto a share
    from an unauthenticated machine. Then the user changes their password on
    their main workstation. Eventually the places where they were authenticated
    using their old password (these seem to automatically reauthenticate when
    they hit the timeout value - Kerberos ticket life - I think), cause them to
    hit the lockout policy. The only method for keeping their ID from
    continually locking out is to find all of the places where they are logged
    in and kick them off. This will keep being a pain every time you hit the
    password expiration date.

    Terminal Services Manager (W2K Server) is a good place to see lost TS
    connections.

    Another thought is the machine has a Service with a hard-coded Service
    Account ID and Password. - Look for services that cannot start.

    -----Original Message-----
    From: A. Naveira [mailto:anaveira@hotmail.com]
    Sent: Monday, March 31, 2003 4:37 PM
    To: incidents@securityfocus.com
    Cc: intrusions@incidents.org
    Subject: Logon/Logoff Failure Events

    I recently implemented the account lockout policy on my NT4 PDC (all my
    clients authenticate to this server) and encountered the following events in

    my security event log:

    1.User accounts continue to get locked (Event 539)
    2.Expired password accounts continue trying to log in to the network (Event
    535)
    3.Accounts restricted to specific workstations are trying to login to
    unidentified workstations that I can't seem to ID on my network (Event 533)
    AND
    4.Bad password attempts on existing accounts from unidentified workstations
    that I can't seem to ID on my network (Event 529)

    These events seem quite unsettling, as I see MULTIPLE failed attempts per
    second (more than humanly possible). Could this be an automated process
    (token authentication) that NT is running to authenticate services, apps, or

    other processes or, as I expect, could it be a script trying to guess user
    passwords? Has anyone encountered this previously in NT4 with benign
    sources?

    Ana

    _________________________________________________________________
    Add photos to your e-mail with MSN 8. Get 2 months FREE*.
    http://join.msn.com/?page=features/featuredemail

    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents


  • Next message: Wilson, Aaron J.: "RE: SQL Slammer Variant?"

    Relevant Pages

    • RE: Logon/Logoff Failure Events
      ... if your network is screened and the MS aspects are not ... clients authenticate to this server) and encountered the following events in ... 2.Expired password accounts continue trying to log in to the network (Event ... 4.Bad password attempts on existing accounts from unidentified workstations ...
      (Incidents)
    • Remote Authentication
      ... authenticate using accounts on the local W2003 network? ... Keith Mono ...
      (microsoft.public.inetserver.iis.security)
    • Re: Old computer accounts
      ... > for a year or so, computers that we not longer own. ... get access to some network devices to gather logs (from switches ports ... identify unused accounts in the domain (Ulf gives You advice about ... workstations" and list of other workstations which are working in ...
      (microsoft.public.windows.server.active_directory)
    • Re: ipfw plus authentication (authpf is cool but....)
      ... their ipaddress, mac address, workstation os, etc. in our ldap directory. ... gain network access is indeed belongs to that user. ... router first before being allowed to access any server. ... user will authenticate to a web based login form which is tied up ...
      (freebsd-questions)
    • Re: Script help
      ... Network administration is always a ... If these are, in fact, writing lab computers, and students have their files ... shared on a server somewhere on campus, then yes, individual accounts are ... >> need the script, just log on the account and add the printer, followed by ...
      (microsoft.public.windows.server.scripting)