R
Rohan
Hello,
I have a Windows 2000 network with 3 domain controllers (Advanced Server)
and about 50 Windows 2000 Professional clients.
All the accounts get locked out, strangely, about three times a day. The
frequency of this has increased. The account lockout policies are set to
default only. I have checked the Domain Security Policy as well as the
Default Domain Policy. I don't notice anything out of way.
However, in Event log, I get messages like:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrador
Domain: BRBROWN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BRBROWN
My domain name is GLOBALTECH, and there's no workstation named BRBROWN!!!
I also get some messages like:
Logon Failure:
Reason: Account locked out
User Name: harshal
Domain: ISERVE
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: COMP21
Here, the username is true, even though the domain name and workstation do
not exist!!
The above are Failure Audits.
There are also success audits:
Domain Policy Changed: Password Policy modified
Domain: GLOBALTECH
Domain ID: GLOBALTECH\
Caller User Name: NETFIN$
Caller Domain: GLOBALTECH
Caller Logon ID: (0x0,0x3E7)
Privileges: -
and
Kerberos Policy Changed:
Changed By:
User Name: NETFIN$
Domain Name: GLOBALTECH
Logon ID: (0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
--
NETFIN is my main domain controller.
I have Microsoft ISA on a domain controller called SERVER3.
IIS isn't running anywhere on a live IP.
Am I getting attacked?? Please help!!
I have a Windows 2000 network with 3 domain controllers (Advanced Server)
and about 50 Windows 2000 Professional clients.
All the accounts get locked out, strangely, about three times a day. The
frequency of this has increased. The account lockout policies are set to
default only. I have checked the Domain Security Policy as well as the
Default Domain Policy. I don't notice anything out of way.
However, in Event log, I get messages like:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrador
Domain: BRBROWN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BRBROWN
My domain name is GLOBALTECH, and there's no workstation named BRBROWN!!!
I also get some messages like:
Logon Failure:
Reason: Account locked out
User Name: harshal
Domain: ISERVE
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: COMP21
Here, the username is true, even though the domain name and workstation do
not exist!!
The above are Failure Audits.
There are also success audits:
Domain Policy Changed: Password Policy modified
Domain: GLOBALTECH
Domain ID: GLOBALTECH\
Caller User Name: NETFIN$
Caller Domain: GLOBALTECH
Caller Logon ID: (0x0,0x3E7)
Privileges: -
and
Kerberos Policy Changed:
Changed By:
User Name: NETFIN$
Domain Name: GLOBALTECH
Logon ID: (0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
--
NETFIN is my main domain controller.
I have Microsoft ISA on a domain controller called SERVER3.
IIS isn't running anywhere on a live IP.
Am I getting attacked?? Please help!!