Security Basics mailing list archives
RE: Account lockout - analysis help
From: "Tyler, Grayling" <ggtyler () foodlion com>
Date: Thu, 18 Jan 2007 20:41:47 -0500
1) Make sure you have auditing turned on in policy for the DC 2) Look for 675 events associated with the account. Regardless of what's causing the lockouts you should be able to track down the system responsible from the failed Kerberos events. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Miguel Sarri Sent: Thursday, January 18, 2007 10:56 AM To: gary () aspectcapital com Cc: security-basics () securityfocus com Subject: Re: Account lockout - analysis help Take a look at services, specifically you could search for services running as an user account (with expired password?). I had the same problem and it was a service that was running with an old password. Also you could take a look at the computer account in your DC, and look the logs of logon. Did you check it with another user in that box? Did you check that user in another box? Regards. gary () aspectcapital com escribió:
Hi, I Have a user who keeps getting his account locked out, but I cannot work out why. I use the alockout tools, to get me
the following
Wed Jan 17 08:40:00 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 08:40:12 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:52:19 2007, PID: 2648, Thread: 3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:52:20 2007, PID: 2648, Thread: 3160, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:53:32 2007, PID: 2040, Thread: 1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:53:33 2007, PID: 2040, Thread: 1388, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:53:57 2007, PID: 2264, Thread: 2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:53:58 2007, PID: 2264, Thread: 2060, Image C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch Wed Jan 17 09:54:15 2007, PID: 656, Thread: 3368, Image taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH Wed Jan 17 09:54:41 2007, PID: 656, Thread: 3368, Image taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch. Looking on my dc's I hae the following entries Service Ticket Request Failed: User Name: shallensleben User Domain: ASPECTCAPITAL.COM Service Name: exchangeMDB/VEGA2 Ticket Options: 0x40800000 Failure Code: 0x12 Client Address: 172.16.x.x Authentication Ticket Request Failed: User Name: shallensleben Supplied Realm Name: ASPECTCAPITAL.COM Service Name: krbtgt/ASPECTCAPITAL.COM Ticket Options: 0x40810010 Failure Code: 0x12 Client Address: 172.16.x.x I have also checked for the obvious mapped netowrk drives, runas, saving credentials etc. all of which are absent. This is the only user in the domain that gets locked out. He does switch between out wireless and network environment, which I believe should not contribute to the problem? Does anyone have any ideas? Thanks in advance,
************************************************************************** This electronic message may contain confidential or privileged information and is intended for the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by using the e-mail address or by telephone (704-633-8250). **************************************************************************
Current thread:
- Account lockout - analysis help gary (Jan 17)
- Re: Account lockout - analysis help Miguel Sarri (Jan 18)
- Re: Account lockout - analysis help Tima Soni (Jan 19)
- <Possible follow-ups>
- RE: Account lockout - analysis help Tyler, Grayling (Jan 19)
- Re: Account lockout - analysis help Miguel Sarri (Jan 18)