do a quick self scan for vulnerabilities in particualr looking for access to
netbios/fps ports 135/137/138/139/445.
Be sure to not set your account lockout threshold too low. MS recommends a
minimum of ten as at times a single event can register multiple bad logon
attempts to the operating system, though I doubt that is the problem here.
You will also want to enable auditing of account logon events in the Domain
Controller Security Policy and logon events for failure in the Domain
Security Policy which will enable auditing on all of your domain machines
being sure to increase the size of the log to at least 10mb on the domain
controllers. Then next time it happens start looking in the security logs in
Event Viewer of first domain controllers and then other servers to see what
accounts and what machines are causing the failed logons and any other
pertinent info in the event. You can use Event Comb - free from MS to scan
multiple computer security logs for specific events to make the job easier.
Don't rule out infected machines on your network that are trying to access
administrator accounts on other domain machines with a short dictionary
attack. Also certain network scanning software including Microsoft Baseline
Security Analyzer can cause account lockouts by testing for weak/blank
passwords.
More advanced steps to tracking down the problem may involve installing the
alockout.dll on a computer to see what process is causing lockouts by
corellating events in the log it generates to failed logon attempts in the
security log, though read the warning about installing it on servers. Also
enabling netlogon logging and looking in the netlogon log as described in
the link below can track down account lockouts to a particular computer by
tracing backwords from the pdc fsmo domain controller as the log will show
failed logons in the [logon] column right after the date and time. When you
scan netlogon logs you want to look for the lines with [logon] in them after
the time. In a W2K domain with all W2K/XP Pro computers those lines will
almost certainly be related to logon failures as ntlm will be tried after
kerberos fails. The line below is an example of how you can use the netlogon
log to trace on the pdc fsmo domain controller where a logon failure
occured. My example shows that a user named King on computer named Lap2-XP
attempted to logon to a share on computer Desk1-XP and the attempt failed as
per "Returns 0xC0000064" . Good luck. --- Steve
" 05/14 17:19:20 [LOGON] SamLogon: Transitive Network logon of LAP2-XP\king
from LAP2-XP (via DESK1-XP) Returns 0xC0000064 "
http://www.microsoft.com/technet/prodtechnol/windowsserver 2003/technologies/security/bpactlck.mspx
Need Help!
I am running windows 2000 server and my users account
gets locked out a few times in a day. Even administrator
password is not spared. Usually the same group of users
are locked out and followed by the rest. I have tried to
figure out what went wrong but to no avail. I have
patched all my software and it seems not to resolve the
problems. I hope some can help how I can resolve this
problem or what kind of information i need to provide
inroder to get some help. Would greatly appreciate as I
am getting sleepless night over this! Please help !!
regards
Merrick
.
