Failed Logon Attempts
From: Amit (anonymous_at_discussions.microsoft.com)
Date: 05/12/04
- Next message: Jupiter Jones [MVP]: "Re: winupdate.net"
- Previous message: anonymous_at_discussions.microsoft.com: "Legitimate windows files"
- In reply to: Cap: "Failed Logon Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 May 2004 07:42:41 -0700
It can be a brute force attack carried by some person
within your company. try to set the local security policy
if the system is in workgroup or else if it is connected
to domain set a domain security policy
in the policy editor go to Account Policies >> Account
lockout policies >>set account lockout threshold >> to 4
ot 5 invalid attempts>> also tick log invalid logons>> so
that you can trace the time and other details to do futher
investigations.
also set Account lockout policies too
post the details after doing this all things to me
>-----Original Message-----
>We are currently running a Loglooker application to scan
our servers for failed logon attempts. A common query
might read:
>
>"WEBSERVER2: Found 169 login failure(s) for
user 'joeblow' on workstation 'jowblowspc' between
05/09/04 11:56:13 and 05/09/04 18:26:41."
>
>We will then investigate the source workstation and
conduct the following:
>1- Make sure Anti-Virus version is current, and run a
full system scan on the PC
>2- Clear all quarantined files (if any), check virus log
history, run any fix executable for any virus' found in
the history
>3- Make sure all MS patches are installed
>4- Make sure no unnecessary startup applications are
accessing the network
>5- Look to see if any mapped drives or batch processes
are failing to connect
>6- Check Event Viewer for any unusual or malicious system
activity
>7- Ask the end user if they know what the server is, what
it is used for and why they connect to it and how. This
inquiry may better help us to isolate the failure
>8- Ask what the end user's role is and whether or not
they have any utilities that will cause a violation in
conducing their job
>9- If the end user has a firewall, try to isolate network
activity or block/prompt network activity to the specific
server.
>
>The problem is, the majority of the time after completing
these basic steps we can not find any malicious activity
causing the logon attempts. Then, usually, the same logon
violation will occur again on the same workstation...
never able to find the cause of the violation.
>
>All the workstation are NT4 or 2K with a few XP. Some
ideas of other areas to check, suggestions or even an
application that can be run on the workstation to monitor
the logon attempts would be helpful. Any additional
information that could help isolate these issues would be
great.
>
>Much Thanks,
>Cap
>.
>
- Next message: Jupiter Jones [MVP]: "Re: winupdate.net"
- Previous message: anonymous_at_discussions.microsoft.com: "Legitimate windows files"
- In reply to: Cap: "Failed Logon Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
