Re: ISS service account keeps locking out
From: Drew (Drew_at_discussions.microsoft.com)
Date: 12/03/04
- Next message: Jeff Cochran: "Re: ftp - iis5 & iis6"
- Previous message: Drew: "Re: ISS service account keeps locking out"
- In reply to: Tom Kaminski [MVP]: "Re: ISS service account keeps locking out"
- Next in thread: Tom Kaminski [MVP]: "Re: ISS service account keeps locking out"
- Reply: Tom Kaminski [MVP]: "Re: ISS service account keeps locking out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Dec 2004 08:49:13 -0800
When the IIS scans a machines, it use a domain account to actually log into
the machine, giving it more access to the machine and allows us to search for
more vulnerabilities.
"Tom Kaminski [MVP]" wrote:
> "Drew" <Drew@discussions.microsoft.com> wrote in message
> news:2B2C427C-CC8B-4E92-B0C2-459B46172C18@microsoft.com...
> > Hello Microsoft,
> >
> > You always have the answers
> > Please take the time to read and respond to this.
> >
> > Please help me with this; I'm a network administrator with an account
> > lockout problem. We have an ISS domain account which has administrative
> > permissions to all the machines on the network. The ISS scanner uses this
> > account to authenticate to the machine its scanning. For some reason, the
> > account continually keeps locking out during scanning. Randomly..!!
> > I have ruled out all the basics and have even created a separate second
> ISS
> > account with the same permissions; this one keeps locking out too. The
> > Netlogon.log on the DCs shows Transitive Network logons from the machines
> > it's scanning. Some successful, some not.
> >
> > I believe the following are the successful logons...
> >
> > SamLogon: Transitive Network logon of Domain1\ISSaccount from ISS-Scanner
> > (via CONFmachine) Returns 0x0
> >
> > Some of the unsuccessful ones appear as follows
> >
> > SamLogon: Transitive Network logon of (null)\Domain1\ISSaccount from \\
> (via
> > Confmachine) Returns 0xC0000064
> >
> > What does the (null) mean?
> > Also after the from, where you should see ISS-Scanner, all there is are 2
> > \\??
> > When I look at these events on the local machine, the source workstation,
> > where it normally give you the IP or machine name of the remote machine
> > making the logon request, it also just has the 2 \\?
> >
> > A few more unsuccessful entries
> >
> > SamLogon: Transitive Network logon of (null)\ISSaccount from \\ (via
> > Confmachine)Returns 0xC000006A
> >
> > Here the entry doesn't even list the domain name before the user account,
> > just the (null) and still lists the FROM machine as just \\. However it
> still
> > returns a 0xc06A error which means bad password.
> > By the looks of it, shouldn't it come back with unknown username?
> >
> > Eventually the log fills up with 0x00000234 when the account finally locks
> out
> >
> > Does anyone know?
> > What the (null) means?
> > Why the FROM is listed as only \\
> > Why the account is locking out
> >
> > PLEASE. ANY HELP WOULD BE GREATLY APPRECIATED.
>
> I don't understand what you mean by:
> "The ISS scanner uses this account to authenticate to the machine its
> scanning."
>
>
>
- Next message: Jeff Cochran: "Re: ftp - iis5 & iis6"
- Previous message: Drew: "Re: ISS service account keeps locking out"
- In reply to: Tom Kaminski [MVP]: "Re: ISS service account keeps locking out"
- Next in thread: Tom Kaminski [MVP]: "Re: ISS service account keeps locking out"
- Reply: Tom Kaminski [MVP]: "Re: ISS service account keeps locking out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
