Re: Finding Account Lockout Source

From: Miha Pihler (miha.pihler_at_Atlantis-N0Spam.si)
Date: 07/31/03 

Date: Thu, 31 Jul 2003 00:06:17 +0200

Hi Erik,

it is hard to tell what and how to look for specially if you don't know if
your firewall is doing it's job.

In this case you could use IDS to see what is going on. Other option is to
run "netstat -an" from command line and see who has established connection.
You could also give Network Monitor a try... 

-- 
Mike
MCSA 2K, MCSE 2K, MCT, ...
"Erik Presnell" <presnell@milltec.com> wrote in message
news:%23lLcUUuVDHA.1560@TK2MSFTNGP11.phx.gbl...
> Hello Mike,
>
> I was able to get some information from those logs I just have to
interpret
> what they are saying.  Now my next question/problem is:  What happens when
> the computer names are not within your domain?  Does that mean that
someone
> is getting through the firewall or could it be a program emulating those
> computer names?  I called our firewall software provider and they checked
> out our settings and said we should be fine....key word being should.  Is
> there anything I can check for?  Thanks again for your help.
>
>
>
> "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> news:OgOwzetVDHA.2224@TK2MSFTNGP10.phx.gbl...
> > Have you installed ALockout.dll and Appinit.reg files? Have you looked
> into
> > this file:
> > %Systemroot%\Debug\Alockout.txt?
> >
> > The content of Alockout.txt file will contain something like this
> > Wed Jul 30 13:01:12 2003, PID:   380, Thread:   376, Image
> > C:\WINNT\System32\termsrv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> > Wed Jul 30 13:01:14 2003, PID:   516, Thread:   500, Image
> > C:\WINNT\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> > Wed Jul 30 13:01:15 2003, PID:   544, Thread:   548, Image
> > C:\WINNT\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> > Wed Jul 30 13:02:03 2003, PID:   864, Thread:   860, Image
> > C:\WINNT\system32\Dfssvc.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> > Wed Jul 30 13:02:03 2003, PID:   888, Thread:   884, Image
> > C:\WINNT\System32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> >
> >
> > Details on how to use ALockout.dll tools (and others) are here...
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
> >
> > -- 
> > Mike
> > MCSA 2K, MCSE 2K, MCT, ...
> >
> >
> > "Erik Presnell" <presnell@milltec.com> wrote in message
> > news:OFemqEtVDHA.1896@TK2MSFTNGP12.phx.gbl...
> > > I have read several of these similar posts and I'm experiencing the
same
> > > problem.  I have been able to use the event viewer tool that is in the
> > > altools.exe to trace to what servers people are trying to authenticate
> > from,
> > > but my next question is what do with that information.  I'm the domain
> > admin
> > > here and on "server 123" in the event viewer it will have something
> like:
> > >
> > >
> > > Event Type: Failure Audit
> > > Event Source: Security
> > > Event Category: Logon/Logoff
> > > Event ID: 529
> > > Date:  7/30/2003
> > > Time:  1:58:34 PM
> > > User:  NT AUTHORITY\SYSTEM
> > > Computer: "Server 123"
> > > Description:
> > > Logon Failure:
> > >   Reason:  Unknown user name or bad password
> > >   User Name: "my initials"
> > >   Domain:  concord
> > >   Logon Type: 3
> > >   Logon Process: NtLmSsp
> > >   Authentication Package: NTLM
> > >   Workstation Name: "ABC"
> > >
> > > Now this is what I don't understand; my workstation is "XYZ"; so I go
to
> > > "ABC" to see if there was anything going on at 1:58:34.  There is
> nothing
> > > there, there are also no unusual programs.  Please help me, I'm just
not
> > > seeing the next logical step.  Thank you for any help.
> > >
> > > Erik
> > >
> > >
> > > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> > > news:OaJLc7sVDHA.484@TK2MSFTNGP09.phx.gbl...
> > > > Hi,
> > > >
> > > > You can use this tools:
> > > >
> > >
> >
>
http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
> > > >
> > > > -- 
> > > > Mike
> > > > MCSA 2K, MCSE 2K, MCT, ...
> > > >
> > > > "PattyMac" <pmacarthur@jenner.com> wrote in message
> > > > news:052901c356cc$14f20bb0$a101280a@phx.gbl...
> > > > > Recently changed a password on an account.  Now that
> > > > > account keeps locking out every 10 minutes or so.  How can
> > > > > I find out the source of the problem?  My guess is there's
> > > > > a machine or service somewhere using that ID, but I don't
> > > > > know where.  Can I find the IP or Machine name that's
> > > > > using that ID?
> > > > >
> > > > > Thanks for any feedback.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Symantec Software ersetzen - dringend!
    ... Hallo Erik, ... ich glaube, du hast Recht, dass in meinem T-DSL Router eine Firewall ... Vielen Dank für die Information. ...
    (microsoft.public.de.german.windowsxp.applications)
  • Re: default.ida
    ... Thanks Erik. ... Where am I looking for these errors...in the same Firewall report, ... >>On my Firewall logs on a frequent basis I am getting the ... >>just a web server on a DMZ, but can anyone tell me the ...
    (microsoft.public.inetserver.iis.security)
  • Re: using boot-from-LAN to boot a Linux firewall
    ... >> used solely as a firewall between internet and local net, ... >> Linux and Netfilter) from another machine on the local net. ... Erik ...
    (comp.security.firewalls)
  • Logon Failure - unknown user
    ... Attempting to open files on a server outside our firewall ... Logon Failure: unknown user name or bad password ...
    (microsoft.public.win2000.security)
  • Re: Firewall and sharing
    ... The shareddocs is enabled and everything, ... I think that the problem is related to another situation...the firewall. ... workgroup, there should be no active directory or anything. ... The message "Logon failure: the user has not been granted the requested logon ...
    (microsoft.public.windowsxp.network_web)