• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:

Password Locking!!!

Running Windows servers with Windows AD.  Primary AD server wi Windows 2003.  I have certain users that their passwords gets getiing locked out.  Verified with them and they are certain they are typing it correctly.  Did the same thing to me.  Does anybody have any ideas as to what is going?

As always, thank you for your time on this matter.
0
CVCB-NetAdmin
Asked:
CVCB-NetAdmin
1 Solution
 
GenexenCommented:
I have seen this only once before.  The affected user (the CEO of the company) was lending his laptop to his kids over the weekends.  As a result, trojan/zombies were being installed - either on purpose or via ignorance - and in turn the system was being used via remote control to try and brute force the CEO's domain password.  This is how I tracked it:

1.  Same as you, the CEO's account kept getting locked for failed logon attempts.
2.  Viewing the security log on the DC (security event auditing was enabled) showed all the failed attempts coming from his laptop.
3.  Running netstat from his laptop showed some suspicious connections (6667-IRC was established out to an Internet host).
4.  Viewing the active processes in taskman gave the executable to the trojan.
5.  Safe mode deleted the trojan, and regedit cleared out all references to keep the trojan from relaunching.

Hopefully this helps you.  Also try the obvious like making sure antivirus is uptodate and scanning regularly/realtime.  Also do a spyware scan (ad-awre, spybot search & destroy, MS anti spyware beta, etc.).
0
 
cjinsocal581Commented:
Here is an article I provide a lot of companies that was provided by the NSA: http://secureconditions.com/articles/NetworkSecurityGuidelinesNSA.pdf

Good luck and stay secure.

CJ
0
 
boywajaCommented:
Check your security event log to see what computer is locking him them out.  Sometimes people leave themselves logged into secondary machines and dont remember it when they change the password.  If it is his own machine where the lockout is occuring, then you need to look at .  If it is his own machine, than you probably know what applications he might be using and stored a domain password.  If you use Sharepoint, check his browsers.  Same with Outlook Web Access.  I've been busted with a ldap client in which I've saved credentials.  

Microsoft has a few tools that may be helpful over at http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en 
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now