Windows 2003 Group Policy Account Lockout Policy Unauthorised Changes
Posted on 2011-05-03
I have a situation that has arisen over the last couple of months regarding a number of Windows 2003 Servers that I support for various clients.
I standardly set the Account lockout policy to 3 failed logins = 60 minute lockout.
Please note that on pretty much all of the sites, local staff do not have access to group policy to make any alterations.
I have found a couple of variant changes on different servers:
1. The account lockout policy has been cleared to no values (not set).
2. The account lockout policy has been set to 50 attempts with a 10 minute reset.
The external internet connections have been locked down to the standard port 80, 443, 4125, 3389 ports to reduce the impact of external attacks. (Some still do occur via the remote access ports...)
My first thought was of a windows update making a change, but with the 2 variations of change at different times, I was thinking maybe not.
The suspicious side of me is wondering if there is any way for group policy to be modified using something like powershell/scripting by an external party?
Any advice regarding the possible sources of these alterations would be greatly received.
Please note that I will be dividing points between viable answers - if there is more than one source.
Thanks in advance for your assistance.