• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3511
  • Last Modified:

Domain accounts getting locked out

All of our domain accounts keep getting locked out numerous times during the day for the past couple of days.  In the event log on a DC, there are constant audit failures, event ID 4662:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/23/2011 10:10:14 AM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      servername.ourdomain.com
Description:
An operation was performed on an object.

Subject :
      Security ID:            domain\user[
      Account Name:            username
      Account Domain:            ourdomain
      Logon ID:            0xb4d9d80

Object:
      Object Server:            DS
      Object Type:            user
      Object Name:            CN=useraccount\OU=Client Services,OU= Departments,DC=ourdomain,DC=com
      Handle ID:            0x0

Operation:
      Operation Type:            Object Access
      Accesses:            Control Access
                  
      Access Mask:            0x100
      Properties:            ---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}


Additional Information:
      Parameter 1:            -
      Parameter 2:            
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4662</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14080</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-09-23T14:10:14.200Z" />
    <EventRecordID>128232590</EventRecordID>
    <Correlation />
    <Execution ProcessID="820" ThreadID="924" />
    <Channel>Security</Channel>
    <Computer>servername.ourdomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-796845957-1715567821-682003330-1698</Data>
    <Data Name="SubjectUserName">Username</Data>
    <Data Name="SubjectDomainName">ourdomain</Data>
    <Data Name="SubjectLogonId">0xb4d9d80</Data>
    <Data Name="ObjectServer">DS</Data>
    <Data Name="ObjectType">%{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
    <Data Name="ObjectName">%{474f39a0-a6c3-40f0-a1dd-24604b29e15e}</Data>
    <Data Name="OperationType">Object Access</Data>
    <Data Name="HandleId">0x0</Data>
    <Data Name="AccessList">%%7688
                  </Data>
    <Data Name="AccessMask">0x100</Data>
    <Data Name="Properties">---
            {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
                  {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
                  {b3f93023-9239-4f7c-b99c-6745d87adbc2}
                  {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
            {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
                  {612cb747-c0e8-4f92-9221-fdd5f15b550d}
      {bf967aba-0de6-11d0-a285-00aa003049e2}
</Data>
    <Data Name="AdditionalInfo">-</Data>
    <Data Name="AdditionalInfo2">
    </Data>
  </EventData>
</Event>

Doesn't really show where it's coming from.  Seems like probably a brute force attack.  Any ideas on how to nail this down?  Thanks.
0
SSEHelpDesk
Asked:
SSEHelpDesk
2 Solutions
 
haxxyCommented:
You probably have Downadup.B worm.

Read this document from symantec on how to remove it. http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
0
 
Mike KlineCommented:
This sounds like malware  last year there was a lot of these and it was conficker  http://blogs.technet.com/b/rhalbheer/archive/2009/01/13/additional-information-on-conficker-msrt-removing-conficker.aspx

Not saying you have it but start scanning the network.  If it was one or two accounts there are other troubleshooting methods but almost every account being randomly locked out is a different thing.

Thanks

Mike
0
 
qgmasterCommented:
I do see the same event in our environment ,did anyone got a solution this event id flooding in Domain Controllers
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now