Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Logon/Logoff Failure Events

From: Robert Wagner <rwagner () eruces com>
Date: Tue, 1 Apr 2003 09:16:28 -0600 
I am going to suggest a less evil explanation.  This may be the reason
depending on how you use your network.

We have seen a similar problem when an individual has used their id to log
into multiple workstations, access terminal server, or sign onto a share
from an unauthenticated machine.  Then the user changes their password on
their main workstation.  Eventually the places where they were authenticated
using their old password (these seem to automatically reauthenticate when
they hit the timeout value - Kerberos ticket life - I think), cause them to
hit the lockout policy.  The only method for keeping their ID from
continually locking out is to find all of the places where they are logged
in and kick them off.  This will keep being a pain every time you hit the
password expiration date.

Terminal Services Manager (W2K Server) is a good place to see lost TS
connections.

Another thought is the machine has a Service with a hard-coded Service
Account ID and Password.  - Look for services that cannot start.

-----Original Message-----
From: A. Naveira [mailto:anaveira () hotmail com]
Sent: Monday, March 31, 2003 4:37 PM
To: incidents () securityfocus com
Cc: intrusions () incidents org
Subject: Logon/Logoff Failure Events


I recently implemented the account lockout policy on my NT4 PDC (all my 
clients authenticate to this server) and encountered the following events in

my security event log:

1.User accounts continue to get locked (Event 539)
2.Expired password accounts continue trying to log in to the network (Event 
535)
3.Accounts restricted to specific workstations are trying to login to 
unidentified workstations that I can't seem to ID on my network (Event 533) 
AND
4.Bad password attempts on existing accounts from unidentified workstations 
that I can't seem to ID on my network (Event 529)

These events seem quite unsettling, as I see MULTIPLE failed attempts per 
second (more than humanly possible).  Could this be an automated process 
(token authentication) that NT is running to authenticate services, apps, or

other processes or, as I expect, could it be a script trying to guess user 
passwords?  Has anyone encountered this previously in NT4 with benign 
sources?

Ana

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
Previous By Date Next
Previous By Thread Next

Current thread: