Windows 2003 Group Policy Account Lockout Policy Unauthorised Changes


I have a situation that has arisen over the last couple of months regarding a number of Windows 2003 Servers that I support for various clients.

I standardly set the Account lockout policy to 3 failed logins = 60 minute lockout.

Please note that on pretty much all of the sites, local staff do not have access to group policy to make any alterations.

I have found a couple of variant changes on different servers:
1. The account lockout policy has been cleared to no values (not set).
2. The account lockout policy has been set to 50 attempts with a 10 minute reset.

The external internet connections have been locked down to the standard port 80, 443, 4125, 3389 ports to reduce the impact of external attacks. (Some still do occur via the remote access ports...)

My first thought was of a windows update making a change, but with the 2 variations of change at different times, I was thinking maybe not.

The suspicious side of me is wondering if there is any way for group policy to be modified using something like powershell/scripting by an external party?

Any advice regarding the possible sources of these alterations would be greatly received.

Please note that I will be dividing points between viable answers - if there is more than one source.

Thanks in advance for your assistance.
Who is Participating?
Larry Struckmeyer MVPCommented:
Well, anything is possible.  Port 80 does not need to be open on SBS 2003 unless you have done something special.  3389 should be limited to specific IP addresses, such as yours, to avoid brute force attacks.  I did not see 25 nor 444 in your ports list... probably just an oversite.

One way the password policies can be reset is through the CEICW on the SBS Console, but that should not set the failed logon attemtps.

Unless this was an inside job at more than one site, you should see many failed logon attempts followed by a good one, and if your previous policy was as restrictive as you say this is very unlikely.  IMO, the likely hood of someone guessing a strong password remotely in three attempts is less than 0.  
dwknightAuthor Commented:
Many thanks for the feedback and you are definitely correct, anything is possible. I have some additional information that I had not added in the initial question below to add to the scenario.

The CEICW does explain the clearing of the password policies. But the failed login attempts is definitely reset under pretty much all of the scenarios. But not the scenario where the properties are reset to 50 login attempts, 10 minute lockout and 10 minute reset.

Thanks for the highlighting of the other ports, I had not included them due to my oversight when writing this question.

Thanks as well for the additional advice regarding restricting remote access to specific IP addresses - already done. I have a observed via report a number of hacking attempts from overseas on client servers, there are also attacks that are spoofing the restricted remote access IP addresses to assist them in attempting to break in. This has been observed in the SBS activity report that I have emailed to my office daily. (These ip addresses being the source of the attacks are definitely not from the ligitimately allowed range - see below)

I know that the Remote Access IP address is being spoofed because I have tested the situation by shutting down my remote admin site and the internet connection I use for it overnight, and there are attempts that have been made using the spoofed restricted remote access IP address in the SBS report the next report cycle. I know that this is a difficult thing to achieve, especially with packet switching networks - but where there is a will ...

This is something that I have noticed over a number of months and am concerned about, if I were a paranoid person... This is a situation that I have some suspicion of, but only limited evidence of it occuring; and no explanation of how.

I know on at least 2 of the sites, staff are pretty much restricted to pc access and no server or group policy access, I really want to find out if there is a method of external attack could get in and modify group policy remotely in a way that circumvents security on a network - I am not after specific steps, just the high level idea, and if it exists, is there a patch available. (I know that I am reaching for something that is a little bit left of field, but I am very curious about this situation that I have come across.)

Any further advice would be greatly received.
dwknightAuthor Commented:
Many thanks for your comments - but I am still at a loss as to any other methods of altering group policy from the outside apart from the CEICW.

I have closed this question due to no further comments being made by the community.

Thanks for your contribution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.