Educause Security Discussion mailing list archives

Re: Active Directory Lockout Log Tools

From: Samih Ajrouch <samih () AUB EDU LB>
Date: Tue, 30 Oct 2018 09:38:01 +0000

Hi Justin

 

We have implemented number of modules to address similar concerns

ADAudit

MS ATA

 

Happy to share our experience in a conf call

 

Regards

 

 

Samih M. Ajrouch

Associate Director, IT Infrastructure

 <https://www.idc-a.org/professionals-certification#DCIS> DCISR |
<https://www.idc-a.org/professionals-certification#DCES>  DCESR |
<https://www.idc-a.org/professionals-certification#DCIE> DCIER |
<https://www.peoplecert.org/itil-certification-family> ITILR |



We Make History  |  1866 - 2016

 

From: Justin Hensley <justin.hensley () UCUMBERLANDS EDU> 
Sent: Monday, October 29, 2018 5:38 PM
Subject: Active Directory Lockout Log Tools

 

Hello All:

We have been encountering an increased occurrence of user accounts being
locked due to our AD lockout policy.  In the past, almost all of these
issues have been due to a user having a bad password in one of our
university systems that kept attempting to autologin and caused the lockout.
However, we now believe that attackers are attempting to brute force the
password with a known username on some accounts.  Would anyone have an
suggestions on a quicker way to track this activity back to an IP than
sorting through all the AD logs?  Are there any tools out there to help with
this?

 

Thanks.

 

Justin O. Hensley, CEH, CISSP
University of the Cumberlands
Director of Information Security
Division of Information Services
Gatliff Administration Building | Lower Level | Room 008
104 Maple Street, Williamsburg, KY, 40769 
606.539.4197 Office | 606.280.3114 Mobile | 606.539.4144 Fax
justin.hensley () ucumberlands edu <mailto:justin.hensley () ucumberlands edu> 

www.ucumberlands.edu <http://www.ucumberlands.edu/> 

 

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error, please
notify the sender and delete this email from your system. Thank you.

Attachment: smime.p7s
Description:

Current thread:

Active Directory Lockout Log Tools Justin Hensley (Oct 29)
- Re: Active Directory Lockout Log Tools Taylor Randle (Oct 29)
  - Re: Active Directory Lockout Log Tools Davis, Chris (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Wilcox (Oct 29)
  - Re: Active Directory Lockout Log Tools Nicholas Garigliano (Oct 29)
- Re: Active Directory Lockout Log Tools Curtis, Bruce (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Kelly (Oct 29)
- Re: Active Directory Lockout Log Tools Childs, Aaron (Oct 29)
  - Re: Active Directory Lockout Log Tools Kevin Ledbetter (Oct 29)
- <Possible follow-ups>
- Re: Active Directory Lockout Log Tools Samih Ajrouch (Oct 30)