Windows 2003 Group Policy Account Lockout Policy Unauthorised Changes

Posted on 2011-05-03
Last Modified: 2013-12-06

I have a situation that has arisen over the last couple of months regarding a number of Windows 2003 Servers that I support for various clients.

I standardly set the Account lockout policy to 3 failed logins = 60 minute lockout.

Please note that on pretty much all of the sites, local staff do not have access to group policy to make any alterations.

I have found a couple of variant changes on different servers:
1. The account lockout policy has been cleared to no values (not set).
2. The account lockout policy has been set to 50 attempts with a 10 minute reset.

The external internet connections have been locked down to the standard port 80, 443, 4125, 3389 ports to reduce the impact of external attacks. (Some still do occur via the remote access ports...)

My first thought was of a windows update making a change, but with the 2 variations of change at different times, I was thinking maybe not.

The suspicious side of me is wondering if there is any way for group policy to be modified using something like powershell/scripting by an external party?

Any advice regarding the possible sources of these alterations would be greatly received.

Please note that I will be dividing points between viable answers - if there is more than one source.

Thanks in advance for your assistance.
Question by:dwknight
    LVL 21

    Accepted Solution

    Well, anything is possible.  Port 80 does not need to be open on SBS 2003 unless you have done something special.  3389 should be limited to specific IP addresses, such as yours, to avoid brute force attacks.  I did not see 25 nor 444 in your ports list... probably just an oversite.

    One way the password policies can be reset is through the CEICW on the SBS Console, but that should not set the failed logon attemtps.

    Unless this was an inside job at more than one site, you should see many failed logon attempts followed by a good one, and if your previous policy was as restrictive as you say this is very unlikely.  IMO, the likely hood of someone guessing a strong password remotely in three attempts is less than 0.  

    Author Comment

    Many thanks for the feedback and you are definitely correct, anything is possible. I have some additional information that I had not added in the initial question below to add to the scenario.

    The CEICW does explain the clearing of the password policies. But the failed login attempts is definitely reset under pretty much all of the scenarios. But not the scenario where the properties are reset to 50 login attempts, 10 minute lockout and 10 minute reset.

    Thanks for the highlighting of the other ports, I had not included them due to my oversight when writing this question.

    Thanks as well for the additional advice regarding restricting remote access to specific IP addresses - already done. I have a observed via report a number of hacking attempts from overseas on client servers, there are also attacks that are spoofing the restricted remote access IP addresses to assist them in attempting to break in. This has been observed in the SBS activity report that I have emailed to my office daily. (These ip addresses being the source of the attacks are definitely not from the ligitimately allowed range - see below)

    I know that the Remote Access IP address is being spoofed because I have tested the situation by shutting down my remote admin site and the internet connection I use for it overnight, and there are attempts that have been made using the spoofed restricted remote access IP address in the SBS report the next report cycle. I know that this is a difficult thing to achieve, especially with packet switching networks - but where there is a will ...

    This is something that I have noticed over a number of months and am concerned about, if I were a paranoid person... This is a situation that I have some suspicion of, but only limited evidence of it occuring; and no explanation of how.

    I know on at least 2 of the sites, staff are pretty much restricted to pc access and no server or group policy access, I really want to find out if there is a method of external attack could get in and modify group policy remotely in a way that circumvents security on a network - I am not after specific steps, just the high level idea, and if it exists, is there a patch available. (I know that I am reaching for something that is a little bit left of field, but I am very curious about this situation that I have come across.)

    Any further advice would be greatly received.

    Author Closing Comment

    Many thanks for your comments - but I am still at a loss as to any other methods of altering group policy from the outside apart from the CEICW.

    I have closed this question due to no further comments being made by the community.

    Thanks for your contribution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Learn about cloud computing and its benefits for small business owners.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now