User Accounts Getting Locked Out WAN

Here is the topology of our network.  We have one Windows 2000 server with DNS running.  We have local LAN users and we have two groups of users that are on two seperate T1 WAN Connections. The problem we have is that the user accounts that are on one of the WAN connections get randomly disabled or locked out.  We think this might be happening due to a maximum password tries.  None of the LAN users or the other group of WAN users are having this problem.  The router logs on both the server end and the WAN end look clean with no security breaches. The logs in both the routers do not show any connection loss or dropped packets. Also the server logs are clean with no application, system, or security entries.   We are going to turn on auditing in the local sec policy to see if we can gain any insight as to what is happeneing, but any input would be greatly appreciated. Thanks, Tim.
bigdessertAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Well connection losses will not do this. I'd look at the network layer last actually.You say the logs are clean... no password failed attempts... are you logging success/failed log-ons? If you type "Secpol.msc" on the Run line, and goto Local policies, then the audit settings, you'll see you can set sucess/failure for various variables... set these on the work stations as well as the DC or server, if not set already. If it is set already... and you don't see any failures in the logs, it may not be the "password attemps" setting. The password attempts can be set with Usrmgr in the 2000 resource kit, and complexity requirements can be set using the passfilt.dll.
http://is-it-true.org/nt/atips/atips93.shtml
http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/meta_bestpractices.htm

However if it's not the failed logon's being exceeded... I'm not sure what it would be.. other than a hacker, or a program trying to use hardcoded username and pass to do something. you could set up Etherreal on the server in question and see if you log any unautorized IPs or traffic...
GL!
-rich
0
 
msiceCommented:
I have had this issue with Terminal Services / RDP. If you have users logging in via Citrix for instance and have a password change policy that forces the users to change their passwords, when they change their password if ther is a existing rdp connection that has been in existence it will cause this due the reconnection of the rdp when a user logs in again with the new password. You can set the rdp connection to auto logoff after a certain disconnect time. Hope this makes sense - this fixed my issue with mysterious lockouts hope it helps.
0
 
bigdessertAuthor Commented:
There is no terminal or citrix server involved. This is just when doing standard windows network logons with a domain. we have also talked to the users at this location and none of them have been misspelling words or anything.  so we kind of think it has something to do with the connection, but have no proof.  our logs are all clean so we know its not a hacker. let me know what you guys think. thanks, Tim.
0
 
msiceCommented:
Logs are all clean could mean it's a hacker. Check for a Trojans ext. are all of the accounts getting locked out or just random ones and how often?
0
 
bigdessertAuthor Commented:
well we know there are no trojans etc because we have very good updated virus protection.  its not all the accounts. one week it was a couple of them and then the next week a couple of different ones got locked out.  so its kind of random.
0
All Courses

From novice to tech pro — start learning today.