[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

What is locking out my windows accout while i'm using broadband to access my corporate network? (read on...)

3x a minute my DC security event log logs the following for one of my users:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/17/2008
Time:            3:44:48 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SBS
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      (i'm not showing you that!)
       Domain:            (i'm not showing you that!)
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SBS
       Caller User Name:      SBS$
       Caller Domain:      (i'm not showing you that!)
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6012
       Transited Services:      -
       Source Network Address:      72.66.60.141
       Source Port:      50652

the user of course is contantly getting locked out and...   As fate would have it, this user is the president of the company....

Now stick with me for a bit while I will appear to go on an irrelevant tangent :)

He's got this fancy new lenovo thinkpad that automatically determines the best of 3 possible ways to connect to the internet (which he in turn uses to VPN into the office).  Those 3 ways are wired lan (in the office), WIFI (in the office), or broadband (like a cellphone) which works pretty much anywhere.  The Source IP of the 'offending' security log event belongs to sprint.  Sprint is his broadband provider.  He also has a cellphone that checks our exchange server (an IPhone of course) but I think that is on the ATT network.  He also has a desktop PC.  So he's got like 5 ways to check his email.  So anyway - long story short - I think it's the verizone broadband connection that is doing it since the source IP belongs to verizon.  ....  either that or some hacker using the verizon network in the washington DC area :)

I can't find any information about port 50652 and can't figure out why he keeps getting locked out even though I think it has something to do with his thinkpad's broadband internet.  

Can anyone help me understand more that what I already do?  What is port 50652?   What might I look further into?

Thanks Much,

Russ White
0
casco32
Asked:
casco32
  • 2
  • 2
1 Solution
 
NJDEV1Commented:
Are there any stored usernames and passwords under the user account of one of his machines?
I have seen users store domain credentials and then when the password expires they get locked out because they were not updated.
0
 
Rob WilliamsCommented:
I agree with NJDEV1. It can often be due to something like Trend Micro antivirus having been set up with an admin account for updates. If the admin password has changed (not the users password) something like A/V will keep trying to get updates, and as a result keep trying to authenticate.

Don't rule out the possibility of a hacker if you have external access to RWW or TS. Is it SBS premium with ISA?
0
 
casco32Author Commented:
Thanks for your inputs.
It is not an expired password issue - i beat that possibility to death before posting.
It's something on his mobile broadbrand.  The IP address it's coming from is an IP that belongs to the Verizon Mobile IP pool so I do not think it is a hacker.  It stopped for two days and then started again this morning at 1:50 am while the user was asleep and his laptop was asleep :|  it has something to do with verizon's mobile broadband software.  I think i worked around this issue and I don't really expect this question to get answered.
0
 
Rob WilliamsCommented:
There must be a logon, mapped drive, service, or similar configured on that unit with a wrong or expired password that keeps trying to reconnect.
0
 
casco32Author Commented:
I think the issue was someone trying to hack.  it has gone away.  awarding robwill as he posted the most.  thanks much.
0

Featured Post

Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now