• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6130
  • Last Modified:

Administrator Account is getting locked out

Hello,

I've encountered an odd issue. It all began about three weeks ago.  The administrator account's password expired and I changed it.  Since that point my event log is filled with logon failures and the Administrator account is actually getting locked out, something that I didn't know was possible.  I have changed the admin password before with no issues so I don't quite understand what is wrong here.  The system is a Server 2003 box running as a PDC w/ Exchange installed on it and IIS running for OWA.  

The thing that worries me most, however, is the Event 529 failures.  The domain listed is not the name of my domain and the workstation name listed is not tied to any of the computers here.  The 2003 box is sitting behind a Watchguard Firebox and I can't see any oddities in the the firewall logs.  
Below are the error/failure logs I am recieving.  The first two, 529 & 680, are logon related.  The last, 40961, is a warning that continues to pop up.

Any help on the matter would be greatly appreciated.

--------------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            4/12/2005
Time:            9:49:14 AM
User:            NT AUTHORITY\SYSTEM
Computer:      PDC
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ?????????????
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ???????????????
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

-------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/12/2005
Time:            9:49:14 AM
User:            NT AUTHORITY\SYSTEM
Computer:      PDC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Administrator
 Source Workstation:      ????????????????????
 Error Code:      0xC000006A

----------------------------------------------------------------------------------
Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            4/12/2005
Time:            7:24:15 AM
User:            N/A
Computer:      PDC
Description:
The Security System could not establish a secured connection with the server DNS/usa1.usent.local.  No authentication protocol was available.

0
CorpulantCoder
Asked:
CorpulantCoder
1 Solution
 
mikeleebrlaCommented:
check the services on all of your servers... do you have any services that are set to run with the administrator account.  If so they are using the old password.  open the service and set it to use the new password.
0
 
bilbusCommented:
Change te administrator username

This can be done in domain/local security policy
0
 
CorpulantCoderAuthor Commented:
I have already checked all servers in the domain and none are using the administrator account.  
Any other ideas? The other odd thing I've noticed is that the workstation name given in the error logs does not exist in any of the DNS records.  How is it possible for the workstation to have been resolved without an entry appearing in the DNS? These logs are occuring, by the way, every five minutes or so.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikeleebrlaCommented:
you say that you checked the servers,,, but what did you check?  did you check the services running on the servers??

also,, as mentioned earlier, you should always rename the built in administrator account to something else since by default this account has full control over everything and hackers already know half of the username/password combination.  You rename it in active directory users and computers, not in the secuirty policy.  make sure you rename the "user logon name" on the account tab of the user's properties.  I would then setup  a "fake" administrator account that has doesn't have access to anything, diable this account.  That way when hackers are trying to use the "administrator" account they are trying to use a disabled account that doesn't have access to anything anyway.  those errors are just people trying to log into your domain unsuccessfully by guessing at passwords. Since you have it set up so the account locks out after 3 failed attemps the account is getting locked out.  Renaming the account will resolve this.  
0
 
CorpulantCoderAuthor Commented:
Yes, I checked the services.msc dialog for each server.  None utilize the admin account.

As for renaming the admin account, I don't see how it does much good considering that the SID remains the same.  I suppose renaming the Administrator account might stop some script kiddies but for the most part it seems a weak form of protection.  Also, the name can be changed via a GPO.

Concerning the lockout policy, the admin account has previously been immune to this, or so I believed.  Three times, five times, none would lock the account.  Now however, it becomes locked.  Odd.
Obviously though, something is trying to gain access to a resource via the admin account yet I have no clue what/who that is.  I don't believe it could be something outside the LAN as the firewall is fairly locked down.  Inside however, that may be another issue.  If anyone can offer me any assistance on how to track down who/what is attempting to gain access w/ the admin account I'd appreciate it.
0
 
mikeleebrlaCommented:
of course it does good, think about it... when you log in, do you use the SID or the login name?  you use the login name of course, so if you change the login name, it changes the way people login to the account (thus the name login name). The account named "administrator" is the first account that hackers try to use b/c it is so powerful.  If you rename the built in administrator account to something else, then hackers will not know what the login name for this powerfull account is.  If you dont change it, they already know half of the username/password combination. Its not a weak form of protection, its a basic one, meaning its simple to do, but provides ALOT of security (and would resolve the issue you are having).  You should actually just create a user account named "administrator" with access to nothing (should only be in the domain users group) and disable it.  This is the account that will be attached most often. since it is diabled nobody can log in to it. since it doesnt have access to anything, even if someone did log in to your "administrator" account they couldn't do anything, since its SID is mapped to a useless account.   If you rename the built in "administrator" account to say joeblowadmin, then joeblowadmin is mapped to the power SID, not "administrator", thus giving you protection.
0
 
CorpulantCoderAuthor Commented:
'Fraid I have to disagree.  By simply changing the user name the SID does not magically change.  Therefore no matter what you change the administrator account name to, it will retain the same SID.  One can then enumerate the SID's of a system and find the name mapping.  If you think by simply changing the administrator account name you are protected think again.  Granted it won't hurt anything but it's not an end-all solution either.  

Anyways, even if I do change the admin name that doesn't help me resolve what is attempting to gain access via the the admin account.  I'd rather get to the source of the issue than throw a blanket over it and pretend nothing is wrong.  Any help in tracing down this access violation would be greatly appreciated.
0
 
mikeleebrlaCommented:
exacly,, i never said the SID changes, and you wouldn't want it to change, if it did change that would defeat the hole purpose of changing the name wouldn't it??
changing the built in administrator account is standard IT secuirty practice, its not my creation.

and yes, as stated for i think the 5th time now, CHANGING THE NAME OF THE ADMINISTRATOR ACCOUNT WILL SOLVE YOUR PROBLEM.  think about it!!!!

something/someone is obviously using the login name "administrator" to attempt to log in, failing, and thus disabling the associated account SID.  If you rename the built in administrator account to say coder1 and then create an account with a login name of "administrator" and give it no rights, you can even disable it if you wish.
now the mappings are as follows:

loginname                  mapped to SID of
administrator-----------------useless/disabled account
coder1----------------------the built in powerful "administrator" account

so now whoever/whatever is attempting to log in to the account with login name of "administrator", they of cousre won't be able to log in, even if they do fail past your threshold number, they will just be disabling/locking an account that is never used.  The powerful account "coder1" will still be unlocked and ready for you to use and do your administrative tasks.
0
 
CorpulantCoderAuthor Commented:
"...and yes, as stated for i think the 5th time now, CHANGING THE NAME OF THE ADMINISTRATOR ACCOUNT WILL SOLVE YOUR PROBLEM"

And yes, for the fifth time now, no it will not solve my issue.  My issue is that something is locking out the Admin account. Simply changing the account name will not suddenly make that something dissappear.  The admin account is being accessed by something and I'd like to know what.  No one uses the admin account so the lockout is not an issue, the issue is what is behind the lockout.  If you've a suggestion on finding the source please let me know but if you're going to continue rehashing the admin name change, please move along.  Thanks.
0
 
mikeleebrlaCommented:
ok,,,, well your question was 2 fold,
1. how to stop it??---- renaming the account will---if your domain is open to the internet for anything that requries a logon (ftp server, IIS server, web folders, VPN etc, you will have people attempt to log in using the username administrator.

2.  what/who is causing it??

the error log you posted tells you where the failed login comes from (you put question marks over it so we have no way of knowing what it is).  You then were wondering "The other odd thing I've noticed is that the workstation name given in the error logs does not exist in any of the DNS records.  How is it possible for the workstation to have been resolved without an entry appearing in the DNS?"

the anwer is simple. by default your local DNS server has "root hints" set up.  this is what enables your local clients to surf the internet.  they should be pointed to you DNS server for DNS name resolution. If your dns server doesn't know they answer it will then use the "root hints" listed on it to find the correct answer.  Often times the root hint servers are busy so people will set up "forwarders" on their dns server to point to any public DNS server (usually their ISPs).  This does the same thing as the root hints basically except the requests are forwarded to the public dns server, instead of the root hint server.  Can you surf the internet from the DC?  If you can then it can resolve public DNS names and that is how you got the DNS name of the machine attempting to log in.  
0
 
CorpulantCoderAuthor Commented:
Found the issue.  A short while ago we published the pop3 server so that users would be able to access emails from outside the LAN (also using OWA but users complain it's slow over dial-up).  The pop3 protocol under Exchange 2003 was setup to allow not only basic authentication (SSL w/ a Thawte cert) but Windows integrated authentication as well.  This was the issue.  Any computer outside the network that had SPA enabled in their pop3 account would attempt to authenticate using cached credentials.  It just so happens that one of the users outside the LAN was using a computer account named Administrator.  They had their mail client set to query the pop3 server every five minutes and this resulted in a login for Administrator with incorrect credentials.  At first I found it hard to believe that this would be the case since the external computer was outside the domain so the logon, I'd have thought, would be ComputerDomainName\Administrator but apparently not.  I tested this out by creating a temp account both on the domain and on an outside computer.  The result was a locked out account on the domain when Windows Integrated Authentication was enabled on the pop3 protocol and in the outside computer's pop3 account.  

The problem has been solved but I'd like a better understanding of how this could have happened.  If anyone can explain it I'll give up the 500pts. :-D
0
 
DarthModCommented:
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now