Intrusion lockout source

[Greg Liskey]

Is there some tool to help us locate from what IP the bad
attempts are coming from that causes the intrusion
lockout flag to get set in an AD domain?

 

[Steven L Umbach]

If you enable auditing of logon events it should give you the name of an
internal lan machine that is causing lockouts. If you want it's IP address
then you could ping it by name or review the data for dhcp leases/wins
registrations/dns zone files. Attempts from the internet should be stopped
by a properly configured firewall. You can go to a selfscan site such as
http://scan.sygatetech.com/ to check for basic vulnerabilities. File and
print sharing should be disabled on network adapters with public ip
addresses exposed to the internet. To find the IP address of computer
attacks from the internet, you would need to view your firewall logs and
match times to failed logons in the security log in Event Viewer. See the
links below for more information on auditing and lockout issues. --- Steve

http://www.microsoft.com/technet/tr...curity/prodtech/win2000/secwin2k/09detect.asp

http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp
http://tinyurl.com/gt83 -- same link as above in case of wrap.