Sign in with
Sign up | Sign in
Your question

lots of 644/539 account lockout events

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
October 14, 2004 6:45:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

We have a windows 2000 domain and I see a lot of event ID 644 and 539
(account lockouts) on each of our domain controller security logs. Many are
from users which we suspect is fat finger syndrome but I also see quite a few
that say the administrator account is locked out. I use the administrator
account all day long and never get notified that it is locked out. Is there a
way to determine if this is malicious activity or something like a service
running with an old password?

Thanks,

Pete
Anonymous
a b 8 Security
October 15, 2004 8:09:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Built in administrator accounts can not be locked out by default to network
logon and never to console logon. Possibly you are seeing a regular account
renamed administrator?? You might have your threshold too low. Microsoft
recommends a lockout threshold of no less than ten bad attempts which is
still plenty to prevent brute force password attacks unless you allow weak
passwords on your network. In some situations a single failed logon attempt
can generate multiple logon failures on the domain controller that can then
cause premature lockouts. You should however verify that your firewall is
configured correctly as password guess attempts can occur from the internet.
A self scan site such as http://scan.sygatetech.com/ could do a test for
basic vulnerability. Also many worms try to attack the administrators
account with a list of 200 or so password guesses of commonly used
passwords. You would need to scan your computers for viruses/worms with the
latest virus definitions to check for that.

It would also be helpful to enable account logon events in the Domain
Controller Security Policy and logon events and account management in Domain
Security Policy. By finding the failed logon events on domain controllers
and domain computers and account lockouts on domain computers you may be
able to track down what computers the failed logon attempts are initiated
from to narrow your search for compromised computer or misconfiguration.
Account lockouts can be legitimate if caused by old credentials used by a
service, application, Scheduled Task, mapped drives, or user still logged
onto another computer. The link below has some very helpful tips in tracking
down account lockouts. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsser...
-- refer to section on Troubleshooting Account Lockout.


"peter riedman" <peterriedman@discussions.microsoft.com> wrote in message
news:963AACBF-4A87-46CC-A1DA-0AE678CB988C@microsoft.com...
> Hi,
>
> We have a windows 2000 domain and I see a lot of event ID 644 and 539
> (account lockouts) on each of our domain controller security logs. Many
> are
> from users which we suspect is fat finger syndrome but I also see quite a
> few
> that say the administrator account is locked out. I use the administrator
> account all day long and never get notified that it is locked out. Is
> there a
> way to determine if this is malicious activity or something like a service
> running with an old password?
>
> Thanks,
>
> Pete
!