Re: Account Logon Time Restriction
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 25 Oct 2006 22:06:59 -0700
Normally the login messages contain mention of the
workstation from which the login originates. So, is
this recognizable as one of your machines? Failure
login attempts also contain the origin IP, but you are
seeing success. When next this happens, find that
account's likely logged-into workstation, check if
they are logged in with it locked, and if so shut the
machine down. If all attempts end then you know it
is some process running on that workstation in the
context of the logged-in user.
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C59D092-56F5-4618-93DE-C59466B954BE@xxxxxxxxxxxxxxxx
Let me try to clarify. All of the failure audits reference one specific
user
account. Let me also point out that you mentioned a machine being logged
into
and locked. I know this user does that frequently. Also you mentioned
determining "where this came from", first things first, how do I determin
inside vs. outside?
"Roger Abell [MVP]" wrote:
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:152FC6DD-AB24-41F5-B791-4A6A273C50A8@xxxxxxxxxxxxxxxx
We are operating SBS2003. Today I noted that there where over 1000
login
failures for one particular user. This user was not on the premisis
during
I am sure you do understand this, but the use of "user" with two
different
meanings above troubles me, and it might lead to less than full clarity
about what is happening. This about "account" and "individual" instead
of "user" in the first and second cases of "user" above.
the hours when these occured. I noticed that the Failure audit had a
type
3
which indicates that someone tried to log on over the network. Another
interesting point is that the failure audit indicates that the user
name
and
password were correct. I assume however, based upon the quantity of
attemtpts
I do not understand. Username and password were correct ? but the login
failed ? is that where the subject about login time constraint comes in
?
that someone is doing this with a script. How should I proceed?
Perhaps someone, more likely some thing
While is it possible that someone was using a tool to specifically
target your environment, it is more common to see such probes
from bot net / infected / zonbie machines which would probably
bring the environment to the notice of a "someone" or group thereof
if a correct access was uncovered.
You need to determine where this came from, at least as
far as the "from inside or outside" question. If that is not
a real distinction in you environment then you probably
need to rethink how the capabilities of SBS are being used.
If it is from inside, trace it down and find what is originating
this, which could be some errant process or some infection
on a machine that is logged into by that account (perhaps
locked, not hibernated, not on standby).
If it is from outside, try to determine what interface, that is
what access capability, was being utilized, and then ask
why that is exposed to the outside (in fact you should examine
all external exposures asking for each whether they are needed
and if so whether exposed in the most secure but usable way).
.
- Follow-Ups:
- Re: Account Logon Time Restriction
- From: LDD15
- Re: Account Logon Time Restriction
- References:
- Re: Account Logon Time Restriction
- From: Roger Abell [MVP]
- Re: Account Logon Time Restriction
- Prev by Date: Re: Event 26. Your computer may be infected.
- Next by Date: Re: Account Logon Time Restriction
- Previous by thread: Re: Account Logon Time Restriction
- Next by thread: Re: Account Logon Time Restriction
- Index(es):
Relevant Pages
|
