Re: users locked out spontaneously...

From: Daniel Angelucci (angelucc@nospam.duke.edu)
Date: 10/31/02 

Date: Thu, 31 Oct 2002 08:52:09 -0500
From: Daniel Angelucci <angelucc@nospam.duke.edu>

If you set security auditing for logon events, you can see what is
locking out the accounts. Search for event 644. Unfortunately, if you
don't have security auditing on, you will need to wait for it to happen
again to see what is going on.

There are worms out there that do exactly what you are describing. So,
I second the 'update your virus software' suggestion heartily.

Dan

CRH wrote:
>>I run a small web hosting and presence provision company. Our servers are
>>Windows 2000 (sp2) and we have separate servers running DNS, IIS (5),
>>Exchange (5.5sp4), etc. The domain model basically has one "PDC" (or
>>active directory equivalent) with the others getting the replicated
>>security, AD, and DNS information.
>>
>>The problem is this: Twice now, I have had instances where not just one
>>or two, but ALL users are for no apparent reason locked out of their
>>accounts (Win2K).
>
>
> Hmmm...........
>
>
>>Is it possible that someone has hacked far enough to get the usernames of
>>the accounts?
>
>
> Yes.
>
>
>>What is possibly happening? Are there any articles or security measures I
>>might be missing?
>>
>>>>I have tried to take as much into account as possible, but these holes
>>>>are discovered daily....
>>>
>
> Make sure all your patches and anti-virus software is current.
> Go here often http://www.microsoft.com/technet/security/default.asp.
>
> Be wary if disgruntled employees esp. in IT.
>
> --
> Ciao,
> CRH 8^)>
>