Re: Account Logon Time Restriction
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 30 Oct 2006 07:59:04 -0700
Well, now down at once each 90 +/- minutes is not unusual.
The periodic application of group policy for example checks
to see if there have been policy changes on exactly that schedule.
You will probably need to wait for this to recur, talk with the
person about what is left with a window (process, drive, prt, etc)
during the log off and take it up then.
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6150C396-4AF2-4F7D-A41E-024F47DA3ED2@xxxxxxxxxxxxxxxx
Ok,
So I completed per your suggestions. No applications running, workstation
locked. The logon failures decreased signigicantly but are still there.
The
pattern is now 2 attempts every 90-110 minutes. I ran the script and even
got
it to run once within the same minute that the logon failure occured. I
don't
know that I see anything odd in the process list. Have to say that I don't
know exactly what I am looking for but in this particular instance the CPU
usage is 100% to system idle process.
Any further suggestions?
"Roger Abell [MVP]" wrote:
Let's see. Because there are shares on this server where the
login failures are logged, shares to which the user would be
making accesses during normal work hours when it is allowed,
it is not unusual for the account to be targeting that server. Right?
So, it seems a matter of knowing what processes are running
while the user logged into the locked machine.
I would just have a script running elsewhere that did a remote
list of processes to file, sleep for some time, repeat . . . and
end the script execution in the morning and hope to see something
like winword.exe, or outlook, etc. that might be trying to save
something all night long.
Along that line of thought, ask the user to close all of their
applications before they lock their station.
Perhaps if you were to go to
http://www.sysinternals.com
and get pslist from the pstools suite
http://www.sysinternals.com/Utilities/PsTools.html
and run this to refresh every so often remotely listing
the processes on that user's machine
For example, something like
pslist -s 3600 -r 300 \\usermachinename > c:\temp\pslist-out.txt
would record every 5 minutes for an hour into the txt file
when run with credentials that are admin on that user's machine
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BFCF6039-BFA4-4EEC-A1A6-26CA419956C1@xxxxxxxxxxxxxxxx
I will have to expose my ignorance here. Based upon what I have seen I
would
have to schedule this to the hours we have observed, lock the users
station
and then begin to look. I know that once the logon attempts begin the
occur 5
times per cycle and they cycle every 2-7 minutes. Aside from that I
honestly
have no idea how to track down what process is doing this.
Any suggestions?
Thanks.
"Roger Abell [MVP]" wrote:
I would investigate further, not stopping until I understood what
process was doing this, at least if the network logons were other
than to a set pattern of shares (i.e. the few the user would normally
be accessing to do work/tasks, and at a set interval, say once each
15 minutes). Sometimes frequent accesses can be from local virus
scan that is allowed to work against an mapped drive.
Keep in mind that one vector some malware uses to spread is to
attempt to see what all it can access via network shares.
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BE5C1D8D-9023-462C-ABFA-FAEFE9687E3B@xxxxxxxxxxxxxxxx
Ok, got that. I guess I was trying to make that harder than it
needed
to
be.
It is definately listed as one of our machines, one of our IP's, and
on
of
our user names. So I will assume it is a process on that box.
I mentioned that the user frequently locks his computer. I spoke to
him
last
night and had him log out. In the first trial of the experiment the
logon
attempts stopped. So it looks as if the simple solution would be
just
to
make
the guy log off. However, should I be concerned about this further?
What
is
the process that is causing that, should I bother lookin for it?
"Roger Abell [MVP]" wrote:
Normally the login messages contain mention of the
workstation from which the login originates. So, is
this recognizable as one of your machines? Failure
login attempts also contain the origin IP, but you are
seeing success. When next this happens, find that
account's likely logged-into workstation, check if
they are logged in with it locked, and if so shut the
machine down. If all attempts end then you know it
is some process running on that workstation in the
context of the logged-in user.
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C59D092-56F5-4618-93DE-C59466B954BE@xxxxxxxxxxxxxxxx
Let me try to clarify. All of the failure audits reference one
specific
user
account. Let me also point out that you mentioned a machine being
logged
into
and locked. I know this user does that frequently. Also you
mentioned
determining "where this came from", first things first, how do I
determin
inside vs. outside?
"Roger Abell [MVP]" wrote:
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:152FC6DD-AB24-41F5-B791-4A6A273C50A8@xxxxxxxxxxxxxxxx
We are operating SBS2003. Today I noted that there where over
1000
login
failures for one particular user. This user was not on the
premisis
during
I am sure you do understand this, but the use of "user" with two
different
meanings above troubles me, and it might lead to less than full
clarity
about what is happening. This about "account" and "individual"
instead
of "user" in the first and second cases of "user" above.
the hours when these occured. I noticed that the Failure audit
had a
type
3
which indicates that someone tried to log on over the network.
Another
interesting point is that the failure audit indicates that the
user
name
and
password were correct. I assume however, based upon the
quantity
of
attemtpts
I do not understand. Username and password were correct ? but
the
login
failed ? is that where the subject about login time constraint
comes
in
?
that someone is doing this with a script. How should I
proceed?
Perhaps someone, more likely some thing
While is it possible that someone was using a tool to
specifically
target your environment, it is more common to see such probes
from bot net / infected / zonbie machines which would probably
bring the environment to the notice of a "someone" or group
thereof
if a correct access was uncovered.
You need to determine where this came from, at least as
far as the "from inside or outside" question. If that is not
a real distinction in you environment then you probably
need to rethink how the capabilities of SBS are being used.
If it is from inside, trace it down and find what is originating
this, which could be some errant process or some infection
on a machine that is logged into by that account (perhaps
locked, not hibernated, not on standby).
If it is from outside, try to determine what interface, that is
what access capability, was being utilized, and then ask
why that is exposed to the outside (in fact you should examine
all external exposures asking for each whether they are needed
and if so whether exposed in the most secure but usable way).
.
- References:
- Re: Account Logon Time Restriction
- From: Roger Abell [MVP]
- Re: Account Logon Time Restriction
- From: Roger Abell [MVP]
- Re: Account Logon Time Restriction
- From: LDD15
- Re: Account Logon Time Restriction
- From: Roger Abell [MVP]
- Re: Account Logon Time Restriction
- From: LDD15
- Re: Account Logon Time Restriction
- From: Roger Abell [MVP]
- Re: Account Logon Time Restriction
- From: LDD15
- Re: Account Logon Time Restriction
- Prev by Date: Re: Account Logon Time Restriction
- Next by Date: Certificate FQDN example.local domain using example.com certificate
- Previous by thread: Re: Account Logon Time Restriction
- Next by thread: How to communicate with a naped pipe on a different PC without security problems preventing it?
- Index(es):
Relevant Pages
|
|
