Solved

User Accounts Getting Locked Out WAN

Posted on 2004-04-22
7
463 Views
Last Modified: 2013-12-04
Here is the topology of our network.  We have one Windows 2000 server with DNS running.  We have local LAN users and we have two groups of users that are on two seperate T1 WAN Connections. The problem we have is that the user accounts that are on one of the WAN connections get randomly disabled or locked out.  We think this might be happening due to a maximum password tries.  None of the LAN users or the other group of WAN users are having this problem.  The router logs on both the server end and the WAN end look clean with no security breaches. The logs in both the routers do not show any connection loss or dropped packets. Also the server logs are clean with no application, system, or security entries.   We are going to turn on auditing in the local sec policy to see if we can gain any insight as to what is happeneing, but any input would be greatly appreciated. Thanks, Tim.
0
Comment
Question by:bigdessert
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:msice
ID: 10893470
I have had this issue with Terminal Services / RDP. If you have users logging in via Citrix for instance and have a password change policy that forces the users to change their passwords, when they change their password if ther is a existing rdp connection that has been in existence it will cause this due the reconnection of the rdp when a user logs in again with the new password. You can set the rdp connection to auto logoff after a certain disconnect time. Hope this makes sense - this fixed my issue with mysterious lockouts hope it helps.
0
 

Author Comment

by:bigdessert
ID: 10894255
There is no terminal or citrix server involved. This is just when doing standard windows network logons with a domain. we have also talked to the users at this location and none of them have been misspelling words or anything.  so we kind of think it has something to do with the connection, but have no proof.  our logs are all clean so we know its not a hacker. let me know what you guys think. thanks, Tim.
0
 
LVL 7

Expert Comment

by:msice
ID: 10894332
Logs are all clean could mean it's a hacker. Check for a Trojans ext. are all of the accounts getting locked out or just random ones and how often?
0
 

Author Comment

by:bigdessert
ID: 10895387
well we know there are no trojans etc because we have very good updated virus protection.  its not all the accounts. one week it was a couple of them and then the next week a couple of different ones got locked out.  so its kind of random.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 10896160
Well connection losses will not do this. I'd look at the network layer last actually.You say the logs are clean... no password failed attempts... are you logging success/failed log-ons? If you type "Secpol.msc" on the Run line, and goto Local policies, then the audit settings, you'll see you can set sucess/failure for various variables... set these on the work stations as well as the DC or server, if not set already. If it is set already... and you don't see any failures in the logs, it may not be the "password attemps" setting. The password attempts can be set with Usrmgr in the 2000 resource kit, and complexity requirements can be set using the passfilt.dll.
http://is-it-true.org/nt/atips/atips93.shtml
http://windows.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/meta_bestpractices.htm

However if it's not the failed logon's being exceeded... I'm not sure what it would be.. other than a hacker, or a program trying to use hardcoded username and pass to do something. you could set up Etherreal on the server in question and see if you log any unautorized IPs or traffic...
GL!
-rich
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now