Archived from groups: microsoft.public.win2000.security (
More info?)
Built in administrator accounts can not be locked out by default to network
logon and never to console logon. Possibly you are seeing a regular account
renamed administrator?? You might have your threshold too low. Microsoft
recommends a lockout threshold of no less than ten bad attempts which is
still plenty to prevent brute force password attacks unless you allow weak
passwords on your network. In some situations a single failed logon attempt
can generate multiple logon failures on the domain controller that can then
cause premature lockouts. You should however verify that your firewall is
configured correctly as password guess attempts can occur from the internet.
A self scan site such as http://scan.sygatetech.com/ could do a test for
basic vulnerability. Also many worms try to attack the administrators
account with a list of 200 or so password guesses of commonly used
passwords. You would need to scan your computers for viruses/worms with the
latest virus definitions to check for that.
It would also be helpful to enable account logon events in the Domain
Controller Security Policy and logon events and account management in Domain
Security Policy. By finding the failed logon events on domain controllers
and domain computers and account lockouts on domain computers you may be
able to track down what computers the failed logon attempts are initiated
from to narrow your search for compromised computer or misconfiguration.
Account lockouts can be legitimate if caused by old credentials used by a
service, application, Scheduled Task, mapped drives, or user still logged
onto another computer. The link below has some very helpful tips in tracking
down account lockouts. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
-- refer to section on Troubleshooting Account Lockout.
"peter riedman" <peterriedman@discussions.microsoft.com> wrote in message
news:963AACBF-4A87-46CC-A1DA-0AE678CB988C@microsoft.com...
> Hi,
>
> We have a windows 2000 domain and I see a lot of event ID 644 and 539
> (account lockouts) on each of our domain controller security logs. Many
> are
> from users which we suspect is fat finger syndrome but I also see quite a
> few
> that say the administrator account is locked out. I use the administrator
> account all day long and never get notified that it is locked out. Is
> there a
> way to determine if this is malicious activity or something like a service
> running with an old password?
>
> Thanks,
>
> Pete
Facebook
Twitter
Instagram