Re: Account Logon Time Restriction

I will have to expose my ignorance here. Based upon what I have seen I would
have to schedule this to the hours we have observed, lock the users station
and then begin to look. I know that once the logon attempts begin the occur 5
times per cycle and they cycle every 2-7 minutes. Aside from that I honestly
have no idea how to track down what process is doing this.

Any suggestions?


"Roger Abell [MVP]" wrote:

I would investigate further, not stopping until I understood what
process was doing this, at least if the network logons were other
than to a set pattern of shares (i.e. the few the user would normally
be accessing to do work/tasks, and at a set interval, say once each
15 minutes). Sometimes frequent accesses can be from local virus
scan that is allowed to work against an mapped drive.
Keep in mind that one vector some malware uses to spread is to
attempt to see what all it can access via network shares.

"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Ok, got that. I guess I was trying to make that harder than it needed to
It is definately listed as one of our machines, one of our IP's, and on of
our user names. So I will assume it is a process on that box.

I mentioned that the user frequently locks his computer. I spoke to him
night and had him log out. In the first trial of the experiment the logon
attempts stopped. So it looks as if the simple solution would be just to
the guy log off. However, should I be concerned about this further? What
the process that is causing that, should I bother lookin for it?

"Roger Abell [MVP]" wrote:

Normally the login messages contain mention of the
workstation from which the login originates. So, is
this recognizable as one of your machines? Failure
login attempts also contain the origin IP, but you are
seeing success. When next this happens, find that
account's likely logged-into workstation, check if
they are logged in with it locked, and if so shut the
machine down. If all attempts end then you know it
is some process running on that workstation in the
context of the logged-in user.

"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Let me try to clarify. All of the failure audits reference one specific
account. Let me also point out that you mentioned a machine being
and locked. I know this user does that frequently. Also you mentioned
determining "where this came from", first things first, how do I
inside vs. outside?

"Roger Abell [MVP]" wrote:

"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
We are operating SBS2003. Today I noted that there where over 1000
failures for one particular user. This user was not on the premisis

I am sure you do understand this, but the use of "user" with two
meanings above troubles me, and it might lead to less than full
about what is happening. This about "account" and "individual"
of "user" in the first and second cases of "user" above.

the hours when these occured. I noticed that the Failure audit had a
which indicates that someone tried to log on over the network.
interesting point is that the failure audit indicates that the user
password were correct. I assume however, based upon the quantity of

I do not understand. Username and password were correct ? but the
failed ? is that where the subject about login time constraint comes

that someone is doing this with a script. How should I proceed?

Perhaps someone, more likely some thing
While is it possible that someone was using a tool to specifically
target your environment, it is more common to see such probes
from bot net / infected / zonbie machines which would probably
bring the environment to the notice of a "someone" or group thereof
if a correct access was uncovered.

You need to determine where this came from, at least as
far as the "from inside or outside" question. If that is not
a real distinction in you environment then you probably
need to rethink how the capabilities of SBS are being used.
If it is from inside, trace it down and find what is originating
this, which could be some errant process or some infection
on a machine that is logged into by that account (perhaps
locked, not hibernated, not on standby).
If it is from outside, try to determine what interface, that is
what access capability, was being utilized, and then ask
why that is exposed to the outside (in fact you should examine
all external exposures asking for each whether they are needed
and if so whether exposed in the most secure but usable way).


Relevant Pages

  • Re: Account Logon Time Restriction
    ... attempt to see what all it can access via network shares. ... workstation from which the login originates. ... this recognizable as one of your machines? ... account's likely logged-into workstation, check if ...
  • Re: Account Logon Time Restriction
    ... workstation from which the login originates. ... this recognizable as one of your machines? ... account's likely logged-into workstation, check if ... bring the environment to the notice of a "someone" or group thereof ...
  • WinXP laptop, simple-style login conn to Win2000 share, error
    ... So, to simplify matters, add all machines to the domain. ... local machine accounts) to keep track of... ... the local account information. ... the "pushbutton login") and configure the Laptops to auto ...
  • Re: Safe way to rsync a homedir on login?
    ... windows machines to our couple of linux machines (rather than mount ... sure the ownership is right. ... the biggest issue is the time taken to login if all these ... on the desktop, which also happens, I wrote an rsync script that is ...
  • Re: Domain Controller Stops Processing All Login Requests Randomly
    ... >> machines simultaneously that are Deep Freeze clients. ... the server exhibited the same behaviour. ... The wierd thing is that I was able to login to the DC ... >>> Accelerated MCSE ...