Bad password count.
Hi,
We are seeing some potentially odd behaviour which I'd like some suggestions for if possible please? We have two audit tools which are showing that the local administrator (and sometimes guest) accounts are having their badpwdcount increased. The common experience appears to be:
Workstation XYZ seems to have a burst of attempts against server ABC (all within the same minute)
ABC local admin account is unlocked by the workstation, the badpwdcount is then incremented until the account is locked, the account is unlocked again by the workstation and it tries again until the account is locked. The attempts are ceased.
We have seen badpwdcount rising to 56 or so for some attempts.
The source workstation or target server are not always the same (I've not found any link yet)
The admin account is enabled on the servers and workstations.
Local Guest is disabled.
We have seen servers lock out their own local admin accounts (e.g. ABC$ against ABC$)
The domain admin account is the same name as the local admin account.
No malware has been seen and both workstation and server have different AV vendors (for what AV is worth nowadays at least).
thanks
Andrew
We are seeing some potentially odd behaviour which I'd like some suggestions for if possible please? We have two audit tools which are showing that the local administrator (and sometimes guest) accounts are having their badpwdcount increased. The common experience appears to be:
Workstation XYZ seems to have a burst of attempts against server ABC (all within the same minute)
ABC local admin account is unlocked by the workstation, the badpwdcount is then incremented until the account is locked, the account is unlocked again by the workstation and it tries again until the account is locked. The attempts are ceased.
We have seen badpwdcount rising to 56 or so for some attempts.
The source workstation or target server are not always the same (I've not found any link yet)
The admin account is enabled on the servers and workstations.
Local Guest is disabled.
We have seen servers lock out their own local admin accounts (e.g. ABC$ against ABC$)
The domain admin account is the same name as the local admin account.
No malware has been seen and both workstation and server have different AV vendors (for what AV is worth nowadays at least).
thanks
Andrew
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. The cause has still eluded us but I will update if I ever get an answer. Someone is trawling through the logs still as we speak..
thanks
thanks
ASKER
Thanks for responding, much appreciated!
Jawahar
I see the event information in LogRhythm and Quest's Change Auditor software.
I don't believe the local admin account is configured anywhere and certainly not on that amount of servers.
Passwords are randomised on all hosts.
Satish
Not that I am aware of, drives are mapped via GP on all workstations. If there was an odd one then I don't beleive it would be on that many machines.
There are definitely no services running under the local admin account, certainly also none that would connect to what seems like randomly selected targets :(
cheers
Andrew