Avatar of Joe Lowe
Joe Lowe
Flag for United States of America asked on

Account Lockout Notifications from Non-Domain PC

We receive alerts whenever there is an account that is locked out within AD. We see events 4740 and 4625 normally. However, we are having some generic accounts that show the Caller Computer Names as: Rdesktop, Windows8, Remmina, Windows10, some times no computer name, etc. These PC names are not on the network/domain so I cannot access them.

I understand the common reasons an account gets locked out, including brute-force attacks but I can't seem to find the source IP for the accounts being locked out. These specific accounts generate 4740 event IDs but not 4625 that show the source IP or additional information. I have looked online and downloaded tools like Microsoft's Lockout tool, Netwrix, and some others previously but they don't find anything that helped me dig further.

I'm at a lost on where to find these PCs or if it's a brute-force attack, how/where to find the source IPs to block them. Any help is much appreciated. 
* AccountLockoutActive DirectoryPCSecurity

Avatar of undefined
Last Comment
Joe Lowe

8/22/2022 - Mon

These are brute force attacks from systems able to connect to your domain resources. That implies, some of your systems are reachable from the internet. Is that intended? Not to be taken lightly.
Joe Lowe

I do not know of any systems internally that are reachable from the internet. We have some AWS instances also and I attempted to contact them via RDP for example and they are not reachable publicly. 

Or some east asia students which play a game...

I guess the first inspection point is your firewall to the internet.
The firewall can make a preauthetication against AD or just route traffic to any other internal service.
As the user tries to login, there has to be any kind of interface, the user can reach from outside.
As the firewall sees all external connections, you find possibly here the source of such attempts.
Be aware, that even you think you do not have something publicly available, that at least email is open.
So it is even possible that they try to connect via an email native protocol.

An open ports scanner may give a clou, which ports are open to the external world and this may even give you an idea, what you have to observe.

But there are sometimes also just trivial reasons why users are blocked, i.e. if users try  to connect their handys to the network (for email). And if they change their password, they usually forget their mobile devices. Another option are saved passwords in the windows credential manager. Just to have it said, so reasons may sometimes just simple.  

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Joe Lowe

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.