[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

User Accounts Getting Locked Out WAN

Posted on 2004-04-22
7
Medium Priority
?
472 Views
Last Modified: 2013-12-04
Here is the topology of our network.  We have one Windows 2000 server with DNS running.  We have local LAN users and we have two groups of users that are on two seperate T1 WAN Connections. The problem we have is that the user accounts that are on one of the WAN connections get randomly disabled or locked out.  We think this might be happening due to a maximum password tries.  None of the LAN users or the other group of WAN users are having this problem.  The router logs on both the server end and the WAN end look clean with no security breaches. The logs in both the routers do not show any connection loss or dropped packets. Also the server logs are clean with no application, system, or security entries.   We are going to turn on auditing in the local sec policy to see if we can gain any insight as to what is happeneing, but any input would be greatly appreciated. Thanks, Tim.
0
Comment
Question by:bigdessert
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:msice
ID: 10893470
I have had this issue with Terminal Services / RDP. If you have users logging in via Citrix for instance and have a password change policy that forces the users to change their passwords, when they change their password if ther is a existing rdp connection that has been in existence it will cause this due the reconnection of the rdp when a user logs in again with the new password. You can set the rdp connection to auto logoff after a certain disconnect time. Hope this makes sense - this fixed my issue with mysterious lockouts hope it helps.
0
 

Author Comment

by:bigdessert
ID: 10894255
There is no terminal or citrix server involved. This is just when doing standard windows network logons with a domain. we have also talked to the users at this location and none of them have been misspelling words or anything.  so we kind of think it has something to do with the connection, but have no proof.  our logs are all clean so we know its not a hacker. let me know what you guys think. thanks, Tim.
0
 
LVL 7

Expert Comment

by:msice
ID: 10894332
Logs are all clean could mean it's a hacker. Check for a Trojans ext. are all of the accounts getting locked out or just random ones and how often?
0
 

Author Comment

by:bigdessert
ID: 10895387
well we know there are no trojans etc because we have very good updated virus protection.  its not all the accounts. one week it was a couple of them and then the next week a couple of different ones got locked out.  so its kind of random.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10896160
Well connection losses will not do this. I'd look at the network layer last actually.You say the logs are clean... no password failed attempts... are you logging success/failed log-ons? If you type "Secpol.msc" on the Run line, and goto Local policies, then the audit settings, you'll see you can set sucess/failure for various variables... set these on the work stations as well as the DC or server, if not set already. If it is set already... and you don't see any failures in the logs, it may not be the "password attemps" setting. The password attempts can be set with Usrmgr in the 2000 resource kit, and complexity requirements can be set using the passfilt.dll.
http://is-it-true.org/nt/atips/atips93.shtml
http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/meta_bestpractices.htm

However if it's not the failed logon's being exceeded... I'm not sure what it would be.. other than a hacker, or a program trying to use hardcoded username and pass to do something. you could set up Etherreal on the server in question and see if you log any unautorized IPs or traffic...
GL!
-rich
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

826 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question