July 25th, 2002, 04:55 AM
What the ????
I'm at a loss here and don't know where to look next. Some background first. We have a 60+ user network with 12 Windows 2000 servers running everything from SQL, Exchange, Citrix, File/Print/Fax, plus many other services. All servers are hotfixed, patched, secured, running the latest antivirus signatures. We have 2 pipes to the internet with firewalls, intrusion detection, content filtering. We thought we should be pretty safe from average security problems.
This is where I'm at a loss. A few days ago we had some users complaining that their accounts were locked out after they logged in and were working for a while. We started examining the security logs and found there were no indication of anthing that would lock out a user for any reason. We audit everything down to the file level because we develop software. I have nothing to tell these users and can't think of anything else to do but keep unlocking their accounts. There are a bunch of strange logs that we can't explain. Some users seem to be randomly accessing other users profiles and getting blocked. This shows up in the logs but it would not cause an account to be locked out.
Nothing has been changed in our network recently. Any help or suggestions would be appreciated very much.
Thanks in advance.
July 25th, 2002, 02:53 PM
Well, given that your IDS & Firewall haven't alerted you to an intruder, I suspect your problem lies with one of your users within your network. What password rules do you have in place (invalid attempts before the account is locked). I have had a situation in the past were this happened to me and it turned out to be someone playing a 'Joke' by randomly locking out user accounts (he was caught by stupidity, he told someone he was doing it). Another option, is someone within your network is trying to 'Brute Force' user accounts to gain more authority.
This may be very difficult to track down. Are you auditing invalid password attempts? Can you audit to a level, to tell which computer the invalid passwords are being entered?
July 25th, 2002, 03:10 PM
Do you audit log in failures as well as successful attempts. this way you can see if you have multiple failed attempts to log into an account
My other Computer is a 4000 node Beowulf Custer
July 25th, 2002, 03:11 PM
In addition to what DjM said: are the users that get locked out related in any way? Do they have offices in the same hallway, do they share some responsebilities? In the first case, you probably have to do with someone trying to 'hack' his fellow collegues, in the second, someone is trying to penetrate some service. Third: the attempts, are they made within static time-intervals? This may tell you wether or not an automated proces is running...
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
July 25th, 2002, 03:12 PM
why dont you turn on password logging and see whats actually happening?
July 25th, 2002, 03:21 PM
You should probibly try logging everything at least while you try to figure this one out. Also posting some of you logs might help us see what is going on. I'm sure there are plenty of ppl here like myself that look at logs all day (or so it seems). Just edit out any info you do not want other to see (i.e. IP addys) Also where do you send your logs and who has access?? . A little more info please.
A squirrel with no nuts will soon starve.
August 2nd, 2002, 11:33 PM
Log everything and make sure no process or services runs as the user's username. Need more info to help !
August 3rd, 2002, 12:14 AM
Is everyone running W2K or do you have NT, 98/95 or DOS clients also?
I have seen Windows 98 do this to a network, since its is Domain ignorant.
Do you assign IP numbers at the PC or do you use DHCP?
It almost sounds like a PDC fight between servers.
My suggestion is bring down the servers, then bring up the PDC first. The BDC's next and then the rest.
Second, fix IP addresses at the desktop if you are using DHCP. 192.168.10.x or some other hobbiest numbers. Pain in the butt but at least you now can link an address to user and a great way to waste 4 hours. This will make logins faster and lock users into the network they are supposed to be in.