General discussion

Locked

All domain accounts lock - regular basis

By p.erickson ·
I inherited a small 30 workstation network that has 4 NT servers running service pack 6a. On a regular daily basis all of the domain accounts lock in alphabetical order. There is no specific time or event to tie it to. Sometimes it happens in teh morning, sometimes overnight sometimes in the afternoon. It looks as though the BDC is processing the logins. The logins come from fictional workstation/domain names it seems. What could it be? what should I do?

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by dotcomma In reply to All domain accounts lock ...

Strange indeed!
I guess you already checked for viruses/worms/trojans, which would be my first idea, since it happens in alphabetical order and from fictional names.

Do you have internet connectivity? Is the firewall setup correct? Or are there individual users with modems connecting out?
When the netbios ports aren't closed to the internet, someone from the outside might try to connect to your domain.

Monika

Collapse -

by p.erickson In reply to

Thank you a bunch, all answers were good! Poster rated this answer.

Collapse -

by Don Christner In reply to All domain accounts lock ...

Sounds like someone is using a brute force attack to try to login to your network. You must have autolockout after a certain number of attempts. You need to find the IP of who is attempting to login and report the activity to their ISP immediately.

Don

Collapse -

by Don Christner In reply to

P.S. They will eventually suceed, so get on it right away!

Collapse -

by p.erickson In reply to

Thank you a bunch, all answers were good! Poster rated this answer.

Collapse -

by p.erickson In reply to All domain accounts lock ...

How Do I track the attack and locate where it is coming from? Are there any programs out there to see which IP this is coming from? I would think it would be especially hard seeing as the workstation name changes frequently.

Collapse -

by CG IT In reply to All domain accounts lock ...

look at snort http://www.snort.org/

now you need to determine if this is a WAN attack or LAN attack. Snort will give you so much information if can be overwhelming, especially if you have it on a system before your firewall. If you put snort after your firewall and before your network, you'll be able to find out just about everything on what's coming in and going out. If your intrusion is NOT WAN based, then you might consider some measures to lockdown workstations. [some of which are sure to get the users to revolt and take up arms]

Collapse -

by CG IT In reply to

LAN based attacks should be fairly easy to find out where they are coming from. someone locally logs on and runs their brute force crack program. I doubt it but hey, it's been known to happen. Lock down workstations as tight as you can without user revolt [deny CD, Floppy, shutdown access unless locally logged on. Deny log on locally to everyone except the admin account. selectively deny internet access by group and see if it stops. then allow it and see if it starts up again.

Collapse -

by p.erickson In reply to

Thank you a bunch, all answers were good! Poster rated this answer.

Collapse -

by p.erickson In reply to All domain accounts lock ...

This question was closed by the author

Back to Windows Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums