Security Basics mailing list archives

RE: Account lockout - analysis help

From: "Tyler, Grayling" <ggtyler () foodlion com>
Date: Thu, 18 Jan 2007 20:41:47 -0500

1) Make sure you have auditing turned on in policy for the DC
2) Look for 675 events associated with the account.
Regardless of what's causing the lockouts you should be able to track down the system responsible from the failed 
Kerberos events. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Miguel Sarri
Sent: Thursday, January 18, 2007 10:56 AM
To: gary () aspectcapital com
Cc: security-basics () securityfocus com
Subject: Re: Account lockout - analysis help

Take a look at services, specifically you could search for services 
running as an user account (with expired password?).

I had the same problem and it was a service that was running with an old 
password.

Also you could take a look at the computer account in your DC, and look 
the logs of logon.

Did you check it with another user in that box?
Did you check that user in another box?

Regards.

gary () aspectcapital com escribió:

Hi,

I Have a user who keeps getting his account locked out, but I cannot work out why. I use the alockout tools, to get 
me


the following


Wed Jan 17 08:40:00 2007, PID:  1872, Thread:  2284, Image xcopy,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 08:40:12 2007, PID:  1872, Thread:  2284, Image xcopy,ALOCKOUT.DLL - dll_process_detatch
Wed Jan 17 09:50:29 2007, PID:  3216, Thread:  2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:50:29 2007, PID:  3216, Thread:  2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:52:19 2007, PID:  2648, Thread:  3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:52:20 2007, PID:  2648, Thread:  3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:53:32 2007, PID:  2040, Thread:  1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:33 2007, PID:  2040, Thread:  1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:53:57 2007, PID:  2264, Thread:  2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
DLL_PROCESS_ATTACH
Wed Jan 17 09:53:58 2007, PID:  2264, Thread:  2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - 
dll_process_detatch
Wed Jan 17 09:54:15 2007, PID:   656, Thread:  3368, Image taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jan 17 09:54:41 2007, PID:   656, Thread:  3368, Image taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch.

Looking on my dc's I hae the following entries 

Service Ticket Request Failed:
      User Name:      shallensleben
      User Domain:    ASPECTCAPITAL.COM
      Service Name:   exchangeMDB/VEGA2
      Ticket Options: 0x40800000
      Failure Code:   0x12
      Client Address: 172.16.x.x

Authentication Ticket Request Failed:
      User Name:      shallensleben
      Supplied Realm Name:    ASPECTCAPITAL.COM
      Service Name:   krbtgt/ASPECTCAPITAL.COM
      Ticket Options: 0x40810010
      Failure Code:   0x12
      Client Address: 172.16.x.x

I have also checked for the obvious mapped netowrk drives, runas, saving credentials etc. all of which are absent.

This is the only user in the domain that gets locked out. He does switch between out wireless and network 
environment, which I believe should not contribute to the problem?

Does anyone have any ideas?

Thanks in advance,

**************************************************************************
This electronic message may contain confidential or privileged information
and is intended for the individual or entity named above.  If you are 
not the intended recipient, be aware that any disclosure, copying, 
distribution or use of the contents of this information is prohibited. 
If you have received this electronic transmission in error, please notify 
the sender immediately by using the e-mail address or by telephone
(704-633-8250).
**************************************************************************

Current thread:

Account lockout - analysis help gary (Jan 17)
- Re: Account lockout - analysis help Miguel Sarri (Jan 18)
  - Re: Account lockout - analysis help Tima Soni (Jan 19)
- <Possible follow-ups>
- RE: Account lockout - analysis help Tyler, Grayling (Jan 19)