Re: Windows 2000 users accounts get locked out
anonymous_at_discussions.microsoft.com
Date: 05/28/04
- Next message: Andrew Mitchell: "Re: admin rights for certain software?"
- Previous message: Dan Landry: "Administrator rights"
- In reply to: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 May 2004 21:57:53 -0700
Hey Steve
Really appreciated your help. I have done a self scan from
skygate..but the result was all my ports were blocked
except smtp and ping. Anyway, thanks for helping.
>-----Original Message-----
>Hi Merrick.
>
>I think I mentioned testing your firewall initially and a
self scan at
>Sygate should have warned you about that. Having
netbios/file and print
>sharing ports open to the internet can certainly cause
such a problem. Glad
>you got it fixed! --- Steve
>
>
>"Merrick" <anonymous@discussions.microsoft.com> wrote in
message
>news:11eda01c44235$0531b4a0$a101280a@phx.gbl...
>> Hey Steve
>> After going through the nightmares, and I found i got a
>> simple problem which most of us have ignored the
warning!
>> Just block the 135,137,139 and 445 and all my problems
are
>> gone!
>> Regards
>> Merrick
>> >-----Original Message-----
>> >Hi Steve,
>> >
>> >I really appreciated your patience and help. After
weeks
>> >of trouble shooting, I think I am zooming down to the
>> >source. Yes, it looks like a trojan that came into my
>> >servers or our users PC.
>> >I managed to stablised the condition by cleaning each
>> >individual PC and it seems to be helping for now.
>> >Will check out the links and will strengthen the
>> >protection as suggested. You have been a great help!
>> >
>> >Will update you once i have managed to control the
>> >situation. !!
>> >Regards
>> >Merrick
>> >>-----Original Message-----
>> >>Hi Merrick.
>> >>
>> >>Typically that sounds like an outside the network
attack
>> >from attackers that
>> >>were able to enumerate your users via file and print
>> >sharing ports somewhere
>> >>along the line. You say it does not happen when the
>> users
>> >go home. If they
>> >>shut down their machines either the machine causing
the
>> >attack is shut down
>> >>or the machine being attacked is shut down. One thing
>> you
>> >might want to
>> >>consider is the possibility a machine on your network
>> has
>> >a backdoor into
>> >>your network via a trojan or remote control software
>> >which may not be
>> >>detected by virus scan software and would require a
>> >program dedicated to
>> >>finding trojans such as those in the links below. I am
>> >surprised that you
>> >>are not finding any Event ID 529 or 681 if auditng of
>> >failed logon events is
>> >>enabled on all computers. You also may want to look
into
>> >debug logging of
>> >>netlogon as described a while back. Ideally you also
>> >want your perimiter
>> >>firewall configured with a default block all outbound
>> >rule and then create
>> >>exceptions for the authorized oubound traffic
[53/80/443
>> >and such] which can
>> >>help prevent successful remote control attacks ---
Steve
>> >>
>> >>http://swatit.org/download.html
>> >>http://www.pestpatrol.com/PestPatrolSBE/
>> >>
>> >>"Merrick" <anonymous@discussions.microsoft.com> wrote
in
>> >message
>> >>news:10b6e01c44090$88e31bf0$a001280a@phx.gbl...
>> >>> Hi Steve
>> >>> Those machine names I mentioned are not in my
network.
>> I
>> >>> have no idea why my users which are valid and the
>> >network
>> >>> domain name which is also valid were locked out from
>> >funny
>> >>> machine names! I have tried to capture 529 and 681
but
>> >my
>> >>> eventcomb did not managed to find any of those
errors.
>> >>> As for my firewall, I have tried to scan them from
>> >outside
>> >>> and my ports are blocked.
>> >>> One thing for sure is when all my users are gone for
>> the
>> >>> day, no more locked out happen. But once they are
back
>> >for
>> >>> work, the locked out happens again. Apparently the
>> >locked
>> >>> out issues were not someone trying to come in from
>> >beyond
>> >>> my firewall.
>> >>> I am still trying to figure out where the locked out
>> >>> happen. Thanks for the help though!
>> >>>
>> >>> have a great weekend!
>> >>>
>> >>> >-----Original Message-----
>> >>> >Hi Merrick.
>> >>> >
>> >>> >You say that those machines are on your network or
>> >not??
>> >>> Can you ping those machines
>> >>> >by their name and get a response? The caller
machine
>> is
>> >>> the name of the machine that
>> >>> >the user was attempting to logon from at the time
of
>> >the
>> >>> lockout. If those computers
>> >>> >are on your network, you need to find out why they
are
>> >>> trying to logon as your users,
>> >>> >such as a virus infection. If they are not from
your
>> >>> network then how are they
>> >>> >getting access? You said your firewall is
configured
>> >>> correctly? Is your firewall
>> >>> >allowing any access from the internet such as a web
>> >site,
>> >>> vpn, or Terminal Services?
>> >>> >The event ID displays what user is locked out and
from
>> >>> what machine but if you can
>> >>> >find any failures for logons on any domain machine
>> such
>> >>> as 681 or 529, that would be
>> >>> >helpful as it will help determine what domain
>> computers
>> >>> are being targeted for these
>> >>> >failed logon attempts and then you could use a
packet
>> >>> sniffer such as Ethereal to
>> >>> >monitor the traffic from the machine causing the
>> >lockout
>> >>> to possibly help determine
>> >>> >what is going on.. --- Steve
>> >>> >
>> >>> >"Merrick" <anonymous@discussions.microsoft.com>
wrote
>> >in
>> >>> message
>> >>> >news:1021301c43f28$407ea5a0$a601280a@phx.gbl...
>> >>> >> Hi Steve and serverguy
>> >>> >>
>> >>> >> Great help!
>> >>> >> Yes i did a netdiag and seems ok but dcdiag
>> generated
>> >>> some
>> >>> >> errors: one of which: "[warning] The DNS host
>> >name 'xxx'
>> >>> >> valid only on Windows 2000 DNS servers.
[DNS_ERROR-
>> >NON-
>> >>> >> RFC_NAME], [WARNING] Cannot find a primary
>> >>> authoriatative
>> >>> >> DNS server for the name 'xxxx' may not be
>> registered
>> >in
>> >>> >> DNS"
>> >>> >> Managed to read up some issues and rerun dcdiag
and
>> >>> >> cleared all the erros. Still my accounts get
locked
>> >out.
>> >>> >> The worst is my event log from eventcomp shows
that
>> >my
>> >>> >> valid users are being locked out by all sorts of
>> >foreign
>> >>> >> manchine name, one of which is this:
>> >>> >> 644,AUDIT SUCCESS,Security,Fri May 21 16:06:46
>> >2004,NT
>> >>> >> AUTHORITY\SYSTEM,User Account Locked Out:
Target
>> >>> >> Account Name: "valid user id" Target Account
>> ID:
>> >%
>> >>> >> ("numbers") Caller Machine Name: ANGEL
>> Caller
>> >>> User
>> >>> >> Name: "my servername"$
>> >>> >>
>> >>> >> The Caller Machine Name: Angel is a remote
machine
>> >name
>> >>> in
>> >>> >> my network. I have no idea what is that! A few
>> others
>> >>> >> Caller Machine Name are PROXYSRV, GNSERVER,
>> >>> SERVIDOR ..??
>> >>> >> what are those!?. Am trying to scan all my users
for
>> >>> virus
>> >>> >> now.
>> >>> >>
>> >>> >> Thanks for helping !
>> >>> >> Regards
>> >>> >> Liew
>> >>> >>
>> >>> >> >-----Original Message-----
>> >>> >> >Event ID 642 will be recorded with every Event
ID
>> >644 -
>> >>> -
>> >>> >> that is normal. If you want
>> >>> >> >to modify password/lockout policy you have to do
>> it
>> >at
>> >>> >> the domain level which would
>> >>> >> >be "Domain Security Policy" in a default
>> >installation -
>> >>> >> it will NOT work if you do it
>> >>> >> >in Domain Controller Security Policy.
>> >>> >> >
>> >>> >> >Have you found any failed logon event ID's on
any
>> >>> domain
>> >>> >> computer? That is the place
>> >>> >> >to start to track down the problem to see if you
>> >have
>> >>> an
>> >>> >> infected machine or what.
>> >>> >> >The error for ,***StartServiceW Failed!***
would
>> >only
>> >>> be
>> >>> >> pertinent if you found that
>> >>> >> >on a computer experiencing account lockouts AND
the
>> >>> >> lockout time corresponded to the
>> >>> >> >time for that event in the alockout.dll log.
>> >>> >> >
>> >>> >> >Have you had a chance to run netdiag and dcdiag
on
>> >the
>> >>> >> domain controller and netdiag
>> >>> >> >on a domain client? If so did the results look
>> good
>> >or
>> >>> >> were there any reported
>> >>> >> >problems? --- Steve
>> >>> >> >
>> >>> >> >"Merrick" <anonymous@discussions.microsoft.com>
>> >wrote
>> >>> in
>> >>> >> message
>> >>> >> >news:eed101c43d78$7eb1fc20$a401280a@phx.gbl...
>> >>> >> >> Hi Steve,
>> >>> >> >> You have been a great help! I really
appreciated
>> >it.
>> >>> As
>> >>> >> to
>> >>> >> >> my problem:
>> >>> >> >> 1.) I have disabled my accounts lockout policy
>> in
>> >my
>> >>> >> >> domain contoller security policy but i still
get
>> >>> >> accounts
>> >>> >> >> locked out, yes the administrator is always
>> locked
>> >>> out.
>> >>> >> >> 2.) I have included 644 and 642 in my
eventcomb
>> >and
>> >>> for
>> >>> >> >> every 644 i got one 642. MS provide very
little
>> >>> >> >> information on 642 and am still trying to
gather
>> >>> >> >> information on that. it seems like my secure
>> >channel
>> >>> is
>> >>> >> >> leaking.
>> >>> >> >> 3.) I have also planted alockout.dll in one
of my
>> >>> >> clients
>> >>> >> >> and one particular line is worrying me:
>> >>> >> C:\WINNT\system32
>> >>> >> >> \svchost,***StartServiceW Failed!*** (0),
>> Service:
>> >>> >> >> Service: Background Intelligent Transfer
Service
>> >>> >> >> (C:\WINNT\System32\svchost.exe -k BITSgroup),
RC
>> >was:
>> >>> >> >> Incorrect function. (1), GLE was: Overlapped
>> I/O
>> >>> >> >> operation is in progress. (997): Any
comment?
>> >>> >> >>
>> >>> >> >> Hope you can help! Many Thanks in advance!
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> >-----Original Message-----
>> >>> >> >> >Hi again Merrick.
>> >>> >> >> >
>> >>> >> >> >If you have not done such, set your account
>> >lockout
>> >>> >> >> threshhold for number of
>> >>> >> >> >bad attempts to at least ten. You should be
>> >seeing
>> >>> >> failed
>> >>> >> >> logon attempts
>> >>> >> >> >such as Event ID 529 on some computers in the
>> >>> domain.
>> >>> >> >> These failed logons
>> >>> >> >> >could be on any computer in the domain - not
>> just
>> >>> >> domain
>> >>> >> >> controllers. Be
>> >>> >> >> >sure you have auditing of "logon events" for
>> >failure
>> >>> >> >> which is different than
>> >>> >> >> >account logon events enabled in Domain
Security
>> >>> Policy
>> >>> >> >> and Domain Controller
>> >>> >> >> >Security Policy. You may also need to
configure
>> >it
>> >>> at
>> >>> >> the
>> >>> >> >> OU level if you
>> >>> >> >> >are using Organizational Units with their own
>> >Group
>> >>> >> >> Policies that have
>> >>> >> >> >auditing disabled. You can check the Local
>> >Security
>> >>> >> >> Policy of any domain
>> >>> >> >> >computer and look at the "effective" settings
>> for
>> >>> >> >> auditing to see if it is
>> >>> >> >> >enabled. Those failed logon events will give
a
>> >lot
>> >>> of
>> >>> >> >> helpful info on why
>> >>> >> >> >the logons are failing and from what
computers
>> >the
>> >>> >> logon
>> >>> >> >> attempts are coming
>> >>> >> >> >from.
>> >>> >> >> >
>> >>> >> >> >In addition I would run some diagnostics on
the
>> >>> domain
>> >>> >> >> controller and then a
>> >>> >> >> >couple domain computers. First run netdiag on
>> the
>> >>> >> domain
>> >>> >> >> controller looking
>> >>> >> >> >for any failed tests/errors/warnings
>> >particularly
>> >>> >> >> relating to dns, domain
>> >>> >> >> >membership, and dclist. Then run dcdiag on
the
>> >>> domain
>> >>> >> >> controller looking for
>> >>> >> >> >failed tests again. After that do the same
with
>> >>> netdiag
>> >>> >> >> on one of the domain
>> >>> >> >> >members. On the domain controller and domain
>> >member
>> >>> >> run "
>> >>> >> >> netdiag
>> >>> >> >> >/test:ipsec " which will show if an ipsec
>> policy
>> >is
>> >>> >> >> assigned that can cause
>> >>> >> >> >problems in a domain. You can post results
here
>> >in a
>> >>> >> >> reply if any problems
>> >>> >> >> >are found. Those tools are found on the
install
>> >>> cdrom
>> >>> >> in
>> >>> >> >> the support/tools
>> >>> >> >> >folder where you will need to run the setup
>> >>> there. --
>> >>> >>
>> >>> >> >> Steve
>> >>> >> >> >
>> >>> >> >> >
>> >>> >> >> >"Merrick"
<anonymous@discussions.microsoft.com>
>> >>> wrote
>> >>> >> in
>> >>> >> >> message
>> >>> >> >> >news:e7fb01c43cb0$4343bd40
$a001280a@phx.gbl...
>> >>> >> >> >> Hi guys! thanks for the help. I have scan
my
>> >>> >> firewall as
>> >>> >> >> >> suggested by Steven and all my ports are
>> >secured.
>> >>> I
>> >>> >> have
>> >>> >> >> >> also increase my password threashold to 10
>> >>> minutes. I
>> >>> >> >> have
>> >>> >> >> >> patched all my software for my servers and
>> >users.
>> >>> >> All my
>> >>> >> >> >> users are using Windows 2000 only. I have
also
>> >>> >> rename my
>> >>> >> >> >> administrator for my server. I have
downloaded
>> >>> >> >> EventCombMT
>> >>> >> >> >> from MS and managed to search all my events
>> >log. I
>> >>> >> have
>> >>> >> >> a
>> >>> >> >> >> long list of event ID: 644. Yet when i go
>> >through
>> >>> the
>> >>> >> >> list
>> >>> >> >> >> I still don't understand why my users are
>> >getting
>> >>> >> locked
>> >>> >> >> >> out! This happened suddenly and I have
never
>> >>> changed
>> >>> >> any
>> >>> >> >> >> thing to my servers. My accounts is still
>> >getting
>> >>> >> locked
>> >>> >> >> >> out and yet I still dont know why! Please
>> help.
>> >>> Many
>> >>> >> >> >> thanks in advance!
>> >>> >> >> >> Merrick
>> >>> >> >> >
>> >>> >> >> >
>> >>> >> >> >.
>> >>> >> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> >.
>> >>> >> >
>> >>> >
>> >>> >
>> >>> >.
>> >>> >
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >
>
>
>.
>
- Next message: Andrew Mitchell: "Re: admin rights for certain software?"
- Previous message: Dan Landry: "Administrator rights"
- In reply to: Steven L Umbach: "Re: Windows 2000 users accounts get locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
