What is locking out my windows accout while i'm using broadband to access my corporate network? (read on...)
3x a minute my DC security event log logs the following for one of my users:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/17/2008
Time: 3:44:48 PM
User: NT AUTHORITY\SYSTEM
Computer: SBS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: (i'm not showing you that!)
Domain: (i'm not showing you that!)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SBS
Caller User Name: SBS$
Caller Domain: (i'm not showing you that!)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6012
Transited Services: -
Source Network Address: 72.66.60.141
Source Port: 50652
the user of course is contantly getting locked out and... As fate would have it, this user is the president of the company....
Now stick with me for a bit while I will appear to go on an irrelevant tangent :)
He's got this fancy new lenovo thinkpad that automatically determines the best of 3 possible ways to connect to the internet (which he in turn uses to VPN into the office). Those 3 ways are wired lan (in the office), WIFI (in the office), or broadband (like a cellphone) which works pretty much anywhere. The Source IP of the 'offending' security log event belongs to sprint. Sprint is his broadband provider. He also has a cellphone that checks our exchange server (an IPhone of course) but I think that is on the ATT network. He also has a desktop PC. So he's got like 5 ways to check his email. So anyway - long story short - I think it's the verizone broadband connection that is doing it since the source IP belongs to verizon. .... either that or some hacker using the verizon network in the washington DC area :)
I can't find any information about port 50652 and can't figure out why he keeps getting locked out even though I think it has something to do with his thinkpad's broadband internet.
Can anyone help me understand more that what I already do? What is port 50652? What might I look further into?
Thanks Much,
Russ White
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/17/2008
Time: 3:44:48 PM
User: NT AUTHORITY\SYSTEM
Computer: SBS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: (i'm not showing you that!)
Domain: (i'm not showing you that!)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SBS
Caller User Name: SBS$
Caller Domain: (i'm not showing you that!)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6012
Transited Services: -
Source Network Address: 72.66.60.141
Source Port: 50652
the user of course is contantly getting locked out and... As fate would have it, this user is the president of the company....
Now stick with me for a bit while I will appear to go on an irrelevant tangent :)
He's got this fancy new lenovo thinkpad that automatically determines the best of 3 possible ways to connect to the internet (which he in turn uses to VPN into the office). Those 3 ways are wired lan (in the office), WIFI (in the office), or broadband (like a cellphone) which works pretty much anywhere. The Source IP of the 'offending' security log event belongs to sprint. Sprint is his broadband provider. He also has a cellphone that checks our exchange server (an IPhone of course) but I think that is on the ATT network. He also has a desktop PC. So he's got like 5 ways to check his email. So anyway - long story short - I think it's the verizone broadband connection that is doing it since the source IP belongs to verizon. .... either that or some hacker using the verizon network in the washington DC area :)
I can't find any information about port 50652 and can't figure out why he keeps getting locked out even though I think it has something to do with his thinkpad's broadband internet.
Can anyone help me understand more that what I already do? What is port 50652? What might I look further into?
Thanks Much,
Russ White
I agree with NJDEV1. It can often be due to something like Trend Micro antivirus having been set up with an admin account for updates. If the admin password has changed (not the users password) something like A/V will keep trying to get updates, and as a result keep trying to authenticate.
Don't rule out the possibility of a hacker if you have external access to RWW or TS. Is it SBS premium with ISA?
Don't rule out the possibility of a hacker if you have external access to RWW or TS. Is it SBS premium with ISA?
ASKER
Thanks for your inputs.
It is not an expired password issue - i beat that possibility to death before posting.
It's something on his mobile broadbrand. The IP address it's coming from is an IP that belongs to the Verizon Mobile IP pool so I do not think it is a hacker. It stopped for two days and then started again this morning at 1:50 am while the user was asleep and his laptop was asleep :| it has something to do with verizon's mobile broadband software. I think i worked around this issue and I don't really expect this question to get answered.
It is not an expired password issue - i beat that possibility to death before posting.
It's something on his mobile broadbrand. The IP address it's coming from is an IP that belongs to the Verizon Mobile IP pool so I do not think it is a hacker. It stopped for two days and then started again this morning at 1:50 am while the user was asleep and his laptop was asleep :| it has something to do with verizon's mobile broadband software. I think i worked around this issue and I don't really expect this question to get answered.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think the issue was someone trying to hack. it has gone away. awarding robwill as he posted the most. thanks much.
I have seen users store domain credentials and then when the password expires they get locked out because they were not updated.