Hacker locking my accounts

[Guest just bob]

Microsoft wizards please help me as I am desperate. Someone continues to

lock all my admin accounts. My firewall is working properly (allowing only

port 53) so I think the guy is using one of the 120 PC's or another server

on my network to read my user database and identify the admin accounts and

send a command to lock them. We've got the latest Symantec antivirus

corporate edition installed and updated on all the machines and it's

supposed to identify spyware, etc. Why is it so easy for this guy to do

this? I have downloaded all the high priority updates for all machines,

servers and PC's. We've also used the server lockdown tool. Why doesn't this

help? Most importantly, why does Microsoft not give me more detailed info on

which machine this guy is using? The event log just has a random spoof

machine name. Last time he did this he spoofed the machine name field to say

"sorry". I got lucky there was one admin account he missed and I was able

to unlock the accounts. Next time I fear I will not be so lucky.

 

If there is a better group or forum to use or consultant I can call to get

help please advise.

[Guest Tomasz Onyszko]

Re: Hacker locking my accounts

 

just bob wrote:

> Microsoft wizards please help me as I am desperate. Someone continues to

> lock all my admin accounts. My firewall is working properly (allowing only

> port 53) so I think the guy is using one of the 120 PC's or another server

> on my network to read my user database and identify the admin accounts and

> send a command to lock them. We've got the latest Symantec antivirus

> corporate edition installed and updated on all the machines and it's

> supposed to identify spyware, etc. Why is it so easy for this guy to do

> this? I have downloaded all the high priority updates for all machines,

> servers and PC's. We've also used the server lockdown tool. Why doesn't this

> help? Most importantly, why does Microsoft not give me more detailed info on

> which machine this guy is using? The event log just has a random spoof

> machine name. Last time he did this he spoofed the machine name field to say

> "sorry". I got lucky there was one admin account he missed and I was able

> to unlock the accounts. Next time I fear I will not be so lucky.

>

> If there is a better group or forum to use or consultant I can call to get

> help please advise.

 

It doesn't necessary has to be a hacker trying to breach your network -

it might be (and it is more likely ) old service or mapped network share

which is using old administrator account.

 

Try to use these tools to troubleshoot the cause of your problems:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

 

--

Tomasz Onyszko

http://www.w2k.pl/ - (PL)

http://blogs.dirteam.com/blogs/tomek/ - (EN)

[Guest Andrew Lomakin]

Re: Hacker locking my accounts

 

Bob,

 

The best suggestion for you would be to reinstall all network computers

(including the server), BUT if you want to find out where is the noise

coming from, you might want to capture network traffic, and then try to

analyze it, or see if someone here can help you to analyze it.

You can try to capture traffic using tool called `wireshark` -

http://www.wireshark.org, but also you need to identify how is hacker getting into

your network...

 

Regards,

 

Andrew

 

"just bob" <kilbyfan@aol.com> wrote in message

news:47dd8adc$0$84236$742ec2ed@news.sonic.net...

> Microsoft wizards please help me as I am desperate. Someone continues to

> lock all my admin accounts. My firewall is working properly (allowing only

> port 53) so I think the guy is using one of the 120 PC's or another server

> on my network to read my user database and identify the admin accounts and

> send a command to lock them. We've got the latest Symantec antivirus

> corporate edition installed and updated on all the machines and it's

> supposed to identify spyware, etc. Why is it so easy for this guy to do

> this? I have downloaded all the high priority updates for all machines,

> servers and PC's. We've also used the server lockdown tool. Why doesn't

> this help? Most importantly, why does Microsoft not give me more detailed

> info on which machine this guy is using? The event log just has a random

> spoof machine name. Last time he did this he spoofed the machine name

> field to say "sorry". I got lucky there was one admin account he missed

> and I was able to unlock the accounts. Next time I fear I will not be so

> lucky.

>

> If there is a better group or forum to use or consultant I can call to get

> help please advise.

>

[Guest Paul Weterings]

Re: Hacker locking my accounts

 

Hey Bob, Didn't we talk before on this? I recall advising WireShark.

 

However, reading the below I'm getting a better impression of what is

happening. Microsoft IS giving you the correct information to find the

person doing this, depending on how you have things running.

 

Forgive me if below I'm going too 'low level', it's pretty basic stuff,

but your mail sounds like your at the end of your rope, and I just want

to make sure we've covered all the bases, including the obvious ones.

 

From what your writing this sounds like a brute force password guessing

tools that is being used against your administrative accounts. To start

there's a few things your can do with group policies to at least make

sure you don't get into trouble, while making things harder for the

'hacker'.

 

The following steps are just to 'temporarily protect yourself' while

investigating further, to make sure you accounts aren't getting locked

out. Again: I'm not trying to sound demeaning, just covering the

bases/basics, so I'll go through every step, even though this may be

peanuts for you.

 

Chapter one: protection.

 

In the Group and Policy Manager; make sure to edit the Default Domain

Policy and go to the Windows Settings\Security Settings\Account Lockout

Policy.

 

Define the Account lockout duration to be not defined

Account lockout threshold: 0 invalid logon attempts

Reset account lockout counter after: not defined

 

Now your accounts will no longer be locked out. Be careful, as this also

allows the hacker to run his tools now unlimitedly against the accounts.

(the lockout slowed him down considerably). I'm only proposing this as

you point our that you fear losing your administrative accounts, but put

this lockout threshold back in place a.s.a.p. if you decide to go this

route in the first place.

 

 

Chapter two: identifying the hacker

 

This we can do by making sure Audit account logon events are being

audited correctly. To do this, we again are using Group Policy

Management and we'll define the Default Domain Controllers Policy.

INthat policy, go to Windows Settings\Security Settings\Local

Policies/Audit Policy and make sure to change 'Audit account logon

events'. See to it that Success as well as Failure (especially that one)

are being logged.

 

To ensure your Domain controllers have the policy applied as quickly as

possible you might consider runninf 'GPUpdate /force' from the command

prompt on your CD's. Otherwise allow some time to pass.

 

Now each logon event will get logges in the eventlog, with the IP

address of the person attempting to logon. The problem is that a user

can logon using any domain controller, however; each failed logon on any

DC gets 'double checked' by that DC by sending it to the domains PDC

emulator (on of the FSMO roles as you may recall) so it makes most sense

to check the eventlogs of the PCD emulator Domain Controller. You can

easily find out who the PDC emulator is by opening Active Directory User

and computers, right-clicking your domain name, and selecting

'operations masters'.

 

The event-ID you are looking for is event: 575, Source: Security,

Category: Account Logon.

 

In the Description field you can see the user name of the account being

attempted, but more importantly: the IP number of the system from where

the attempt is being done.

 

 

I hope this helps you, sorry for wasting your time if you had already

done the above.

 

regards,

 

Paul

 

 

 

 

just bob wrote:

> Microsoft wizards please help me as I am desperate. Someone continues to

> lock all my admin accounts. My firewall is working properly (allowing only

> port 53) so I think the guy is using one of the 120 PC's or another server

> on my network to read my user database and identify the admin accounts and

> send a command to lock them. We've got the latest Symantec antivirus

> corporate edition installed and updated on all the machines and it's

> supposed to identify spyware, etc. Why is it so easy for this guy to do

> this? I have downloaded all the high priority updates for all machines,

> servers and PC's. We've also used the server lockdown tool. Why doesn't this

> help? Most importantly, why does Microsoft not give me more detailed info on

> which machine this guy is using? The event log just has a random spoof

> machine name. Last time he did this he spoofed the machine name field to say

> "sorry". I got lucky there was one admin account he missed and I was able

> to unlock the accounts. Next time I fear I will not be so lucky.

>

> If there is a better group or forum to use or consultant I can call to get

> help please advise.

>

>

[Guest Al Dunbar]

Re: Hacker locking my accounts

 

 

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>

> However, reading the below I'm getting a better impression of what is

> happening. Microsoft IS giving you the correct information to find the

> person doing this, depending on how you have things running.

>

> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

> but your mail sounds like your at the end of your rope, and I just want to

> make sure we've covered all the bases, including the obvious ones.

>

> From what your writing this sounds like a brute force password guessing

> tools that is being used against your administrative accounts.

 

While that could certainly be the case, it seems just as likely to be

somebody running a script designed to lock administrative accounts by using

their credentials continually with an invalid password.

> To start there's a few things your can do with group policies to at

> least make sure you don't get into trouble, while making things harder for

> the 'hacker'.

>

> The following steps are just to 'temporarily protect yourself' while

> investigating further, to make sure you accounts aren't getting locked

> out. Again: I'm not trying to sound demeaning, just covering the

> bases/basics, so I'll go through every step, even though this may be

> peanuts for you.

>

> Chapter one: protection.

>

> In the Group and Policy Manager; make sure to edit the Default Domain

> Policy and go to the Windows Settings\Security Settings\Account Lockout

> Policy.

>

> Define the Account lockout duration to be not defined

> Account lockout threshold: 0 invalid logon attempts

> Reset account lockout counter after: not defined

>

> Now your accounts will no longer be locked out. Be careful, as this also

> allows the hacker to run his tools now unlimitedly against the accounts.

> (the lockout slowed him down considerably). I'm only proposing this as you

> point our that you fear losing your administrative accounts, but put this

> lockout threshold back in place a.s.a.p. if you decide to go this route in

> the first place.

>

>

> Chapter two: identifying the hacker

>

> This we can do by making sure Audit account logon events are being audited

> correctly. To do this, we again are using Group Policy Management and

> we'll define the Default Domain Controllers Policy. INthat policy, go to

> Windows Settings\Security Settings\Local Policies/Audit Policy and make

> sure to change 'Audit account logon events'. See to it that Success as

> well as Failure (especially that one) are being logged.

>

> To ensure your Domain controllers have the policy applied as quickly as

> possible you might consider runninf 'GPUpdate /force' from the command

> prompt on your CD's. Otherwise allow some time to pass.

>

> Now each logon event will get logges in the eventlog, with the IP address

> of the person attempting to logon. The problem is that a user can logon

> using any domain controller, however; each failed logon on any DC gets

> 'double checked' by that DC by sending it to the domains PDC emulator (on

> of the FSMO roles as you may recall) so it makes most sense to check the

> eventlogs of the PCD emulator Domain Controller. You can easily find out

> who the PDC emulator is by opening Active Directory User and computers,

> right-clicking your domain name, and selecting 'operations masters'.

 

A question: does the IP address of the person get logged, even if they are

not attempting to logon, but to just, for example, map a share or use the

runas command? Those techniques could be used by a brute-force password

guessing program, but I am not sure if it is flagged as a logon event.

> The event-ID you are looking for is event: 575, Source: Security,

> Category: Account Logon.

>

> In the Description field you can see the user name of the account being

> attempted, but more importantly: the IP number of the system from where

> the attempt is being done.

>

>

> I hope this helps you, sorry for wasting your time if you had already done

> the above.

>

> regards,

>

> Paul

>

>

>

>

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

[Guest just bob]

Re: Hacker locking my accounts

 

 

"Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message

news:47DD9046.10605@w2k.pl...

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

>

> It doesn't necessary has to be a hacker trying to breach your network - it

> might be (and it is more likely ) old service or mapped network share

> which is using old administrator account.

 

???? The guy spoofs the machine name different every time. Last time he

called it "sorry"

[Guest just bob]

Re: Hacker locking my accounts

 

Hi Paul, Thanks, no not a waste of time at all. I might turn the locking off

as you describe. Also I'm pretty sure I have my logging setup OK as I am

using a program to copy the logs from the OM to another machine and also it

sends me an email when it sees a string which indicates an account is locked

which is forwarded to my Blackberry. So I got the logging but... the problem

is the guy is making up random names for the machine and it does not show me

a IP address.

 

I used wireshark and am capturing all traffic to the ops master. But I do

not see any unknown IP addresses and I don't know wireshark well enough to

know how to look for the packets causing the attack to determine if it *is*

coming from one of my machines.

 

Thanks again for your help.

 

 

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>

> However, reading the below I'm getting a better impression of what is

> happening. Microsoft IS giving you the correct information to find the

> person doing this, depending on how you have things running.

>

> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

> but your mail sounds like your at the end of your rope, and I just want to

> make sure we've covered all the bases, including the obvious ones.

>

> From what your writing this sounds like a brute force password guessing

> tools that is being used against your administrative accounts. To start

> there's a few things your can do with group policies to at least make sure

> you don't get into trouble, while making things harder for the 'hacker'.

>

> The following steps are just to 'temporarily protect yourself' while

> investigating further, to make sure you accounts aren't getting locked

> out. Again: I'm not trying to sound demeaning, just covering the

> bases/basics, so I'll go through every step, even though this may be

> peanuts for you.

>

> Chapter one: protection.

>

> In the Group and Policy Manager; make sure to edit the Default Domain

> Policy and go to the Windows Settings\Security Settings\Account Lockout

> Policy.

>

> Define the Account lockout duration to be not defined

> Account lockout threshold: 0 invalid logon attempts

> Reset account lockout counter after: not defined

>

> Now your accounts will no longer be locked out. Be careful, as this also

> allows the hacker to run his tools now unlimitedly against the accounts.

> (the lockout slowed him down considerably). I'm only proposing this as you

> point our that you fear losing your administrative accounts, but put this

> lockout threshold back in place a.s.a.p. if you decide to go this route in

> the first place.

>

>

> Chapter two: identifying the hacker

>

> This we can do by making sure Audit account logon events are being audited

> correctly. To do this, we again are using Group Policy Management and

> we'll define the Default Domain Controllers Policy. INthat policy, go to

> Windows Settings\Security Settings\Local Policies/Audit Policy and make

> sure to change 'Audit account logon events'. See to it that Success as

> well as Failure (especially that one) are being logged.

>

> To ensure your Domain controllers have the policy applied as quickly as

> possible you might consider runninf 'GPUpdate /force' from the command

> prompt on your CD's. Otherwise allow some time to pass.

>

> Now each logon event will get logges in the eventlog, with the IP address

> of the person attempting to logon. The problem is that a user can logon

> using any domain controller, however; each failed logon on any DC gets

> 'double checked' by that DC by sending it to the domains PDC emulator (on

> of the FSMO roles as you may recall) so it makes most sense to check the

> eventlogs of the PCD emulator Domain Controller. You can easily find out

> who the PDC emulator is by opening Active Directory User and computers,

> right-clicking your domain name, and selecting 'operations masters'.

>

> The event-ID you are looking for is event: 575, Source: Security,

> Category: Account Logon.

>

> In the Description field you can see the user name of the account being

> attempted, but more importantly: the IP number of the system from where

> the attempt is being done.

>

>

> I hope this helps you, sorry for wasting your time if you had already done

> the above.

>

> regards,

>

> Paul

>

>

>

>

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

[Guest just bob]

Re: Hacker locking my accounts

 

I should have said he is making up random machine names, not "spoofing" as I

said.

 

Thanks for the link - I am going to see if I can find something there to

help.

 

 

"Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message

news:47DD9046.10605@w2k.pl...

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

>

> It doesn't necessary has to be a hacker trying to breach your network - it

> might be (and it is more likely ) old service or mapped network share

> which is using old administrator account.

>

> Try to use these tools to troubleshoot the cause of your problems:

> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

>

> --

> Tomasz Onyszko

> http://www.w2k.pl/ - (PL)

> http://blogs.dirteam.com/blogs/tomek/ - (EN)

[Guest just bob]

Re: Hacker locking my accounts

 

 

"Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message

news:47DD9046.10605@w2k.pl...

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

>

> It doesn't necessary has to be a hacker trying to breach your network - it

> might be (and it is more likely ) old service or mapped network share

> which is using old administrator account.

>

> Try to use these tools to troubleshoot the cause of your problems:

> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

>

 

Also I said he locked all my admin accounts which did include service

accounts for exchange and more. This is no accident - he knew exactly which

accounts were domain admins. I got lucky he missed the original local admin

account on his first pass because it turned out to be my only backdoor into

my own AD console. Then minutes later he locked that account too. And yes,

it is no longer called administrator.

[Guest just bob]

Re: Hacker locking my accounts

 

One more thing:

 

Is there a way to lock account without even trying three times? Is there

some way to send a packet which locks it on the first try? Because that is

how it looks. I could see how someone could send a packet to disable the

account but that is not what is happening.

 

 

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>

> However, reading the below I'm getting a better impression of what is

> happening. Microsoft IS giving you the correct information to find the

> person doing this, depending on how you have things running.

>

> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

> but your mail sounds like your at the end of your rope, and I just want to

> make sure we've covered all the bases, including the obvious ones.

>

> From what your writing this sounds like a brute force password guessing

> tools that is being used against your administrative accounts. To start

> there's a few things your can do with group policies to at least make sure

> you don't get into trouble, while making things harder for the 'hacker'.

>

> The following steps are just to 'temporarily protect yourself' while

> investigating further, to make sure you accounts aren't getting locked

> out. Again: I'm not trying to sound demeaning, just covering the

> bases/basics, so I'll go through every step, even though this may be

> peanuts for you.

>

> Chapter one: protection.

>

> In the Group and Policy Manager; make sure to edit the Default Domain

> Policy and go to the Windows Settings\Security Settings\Account Lockout

> Policy.

>

> Define the Account lockout duration to be not defined

> Account lockout threshold: 0 invalid logon attempts

> Reset account lockout counter after: not defined

>

> Now your accounts will no longer be locked out. Be careful, as this also

> allows the hacker to run his tools now unlimitedly against the accounts.

> (the lockout slowed him down considerably). I'm only proposing this as you

> point our that you fear losing your administrative accounts, but put this

> lockout threshold back in place a.s.a.p. if you decide to go this route in

> the first place.

>

>

> Chapter two: identifying the hacker

>

> This we can do by making sure Audit account logon events are being audited

> correctly. To do this, we again are using Group Policy Management and

> we'll define the Default Domain Controllers Policy. INthat policy, go to

> Windows Settings\Security Settings\Local Policies/Audit Policy and make

> sure to change 'Audit account logon events'. See to it that Success as

> well as Failure (especially that one) are being logged.

>

> To ensure your Domain controllers have the policy applied as quickly as

> possible you might consider runninf 'GPUpdate /force' from the command

> prompt on your CD's. Otherwise allow some time to pass.

>

> Now each logon event will get logges in the eventlog, with the IP address

> of the person attempting to logon. The problem is that a user can logon

> using any domain controller, however; each failed logon on any DC gets

> 'double checked' by that DC by sending it to the domains PDC emulator (on

> of the FSMO roles as you may recall) so it makes most sense to check the

> eventlogs of the PCD emulator Domain Controller. You can easily find out

> who the PDC emulator is by opening Active Directory User and computers,

> right-clicking your domain name, and selecting 'operations masters'.

>

> The event-ID you are looking for is event: 575, Source: Security,

> Category: Account Logon.

>

> In the Description field you can see the user name of the account being

> attempted, but more importantly: the IP number of the system from where

> the attempt is being done.

>

>

> I hope this helps you, sorry for wasting your time if you had already done

> the above.

>

> regards,

>

> Paul

>

>

>

>

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

[Guest just bob]

Re: Hacker locking my accounts

 

The guy just created a user account called "sorry". Strange he did not give

it domain admin access.

 

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>

> However, reading the below I'm getting a better impression of what is

> happening. Microsoft IS giving you the correct information to find the

> person doing this, depending on how you have things running.

>

> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

> but your mail sounds like your at the end of your rope, and I just want to

> make sure we've covered all the bases, including the obvious ones.

>

> From what your writing this sounds like a brute force password guessing

> tools that is being used against your administrative accounts. To start

> there's a few things your can do with group policies to at least make sure

> you don't get into trouble, while making things harder for the 'hacker'.

>

> The following steps are just to 'temporarily protect yourself' while

> investigating further, to make sure you accounts aren't getting locked

> out. Again: I'm not trying to sound demeaning, just covering the

> bases/basics, so I'll go through every step, even though this may be

> peanuts for you.

>

> Chapter one: protection.

>

> In the Group and Policy Manager; make sure to edit the Default Domain

> Policy and go to the Windows Settings\Security Settings\Account Lockout

> Policy.

>

> Define the Account lockout duration to be not defined

> Account lockout threshold: 0 invalid logon attempts

> Reset account lockout counter after: not defined

>

> Now your accounts will no longer be locked out. Be careful, as this also

> allows the hacker to run his tools now unlimitedly against the accounts.

> (the lockout slowed him down considerably). I'm only proposing this as you

> point our that you fear losing your administrative accounts, but put this

> lockout threshold back in place a.s.a.p. if you decide to go this route in

> the first place.

>

>

> Chapter two: identifying the hacker

>

> This we can do by making sure Audit account logon events are being audited

> correctly. To do this, we again are using Group Policy Management and

> we'll define the Default Domain Controllers Policy. INthat policy, go to

> Windows Settings\Security Settings\Local Policies/Audit Policy and make

> sure to change 'Audit account logon events'. See to it that Success as

> well as Failure (especially that one) are being logged.

>

> To ensure your Domain controllers have the policy applied as quickly as

> possible you might consider runninf 'GPUpdate /force' from the command

> prompt on your CD's. Otherwise allow some time to pass.

>

> Now each logon event will get logges in the eventlog, with the IP address

> of the person attempting to logon. The problem is that a user can logon

> using any domain controller, however; each failed logon on any DC gets

> 'double checked' by that DC by sending it to the domains PDC emulator (on

> of the FSMO roles as you may recall) so it makes most sense to check the

> eventlogs of the PCD emulator Domain Controller. You can easily find out

> who the PDC emulator is by opening Active Directory User and computers,

> right-clicking your domain name, and selecting 'operations masters'.

>

> The event-ID you are looking for is event: 575, Source: Security,

> Category: Account Logon.

>

> In the Description field you can see the user name of the account being

> attempted, but more importantly: the IP number of the system from where

> the attempt is being done.

>

>

> I hope this helps you, sorry for wasting your time if you had already done

> the above.

>

> regards,

>

> Paul

>

>

>

>

> just bob wrote:

>> Microsoft wizards please help me as I am desperate. Someone continues to

>> lock all my admin accounts. My firewall is working properly (allowing

>> only port 53) so I think the guy is using one of the 120 PC's or another

>> server on my network to read my user database and identify the admin

>> accounts and send a command to lock them. We've got the latest Symantec

>> antivirus corporate edition installed and updated on all the machines and

>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>> do this? I have downloaded all the high priority updates for all

>> machines, servers and PC's. We've also used the server lockdown tool. Why

>> doesn't this help? Most importantly, why does Microsoft not give me more

>> detailed info on which machine this guy is using? The event log just has

>> a random spoof machine name. Last time he did this he spoofed the machine

>> name field to say "sorry". I got lucky there was one admin account he

>> missed and I was able to unlock the accounts. Next time I fear I will not

>> be so lucky.

>>

>> If there is a better group or forum to use or consultant I can call to

>> get help please advise.

[Guest Larry Struckmeyer]

Re: Hacker locking my accounts

 

Hi Bob:

 

Just thinking about what I might do, and what the exposure is, and how

frustrating it must be to encounter this.

 

The 10 Immutable Laws tell us that if you have been repeatedly hacked, "it's

not your computer any more".

 

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

 

Further, there are serious folks that feel strongly that it will never be

"your computer" again. At least not "your hard drive".

 

If you can't figure out what the direct cause is, it might easily be a

intruder, or, perhaps worse, an intruders' program that changes these

accounts at random intervals, with or without a signal from "headquarters".

And, what else??

 

I think I would copy off user data, scrub it with several known anti

virus/anti malware products, and isolate it. Put back only what your users

demand, and only after opening each one on an isolated system that has

current anti spyware / anti spam /anti root kit products installed and

updated.

 

And, you should consider destroying every hard drive in the organization and

installing new drives and new installations of Windows.

 

Unless, of course, you can prove that the symptoms are harmless.

 

Call MS at:

 

FREE VIRUS AND SECURITY INFO: (888) PC SAFETY

 

--

Larry

 

 

"just bob" <kilbyfan@aol.com> wrote in message

news:47ddc3b0$0$36355$742ec2ed@news.sonic.net...

> One more thing:

>

> Is there a way to lock account without even trying three times? Is there

> some way to send a packet which locks it on the first try? Because that is

> how it looks. I could see how someone could send a packet to disable the

> account but that is not what is happening.

>

>

> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>

>> However, reading the below I'm getting a better impression of what is

>> happening. Microsoft IS giving you the correct information to find the

>> person doing this, depending on how you have things running.

>>

>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>> but your mail sounds like your at the end of your rope, and I just want

>> to make sure we've covered all the bases, including the obvious ones.

>>

>> From what your writing this sounds like a brute force password guessing

>> tools that is being used against your administrative accounts. To start

>> there's a few things your can do with group policies to at least make

>> sure you don't get into trouble, while making things harder for the

>> 'hacker'.

>>

>> The following steps are just to 'temporarily protect yourself' while

>> investigating further, to make sure you accounts aren't getting locked

>> out. Again: I'm not trying to sound demeaning, just covering the

>> bases/basics, so I'll go through every step, even though this may be

>> peanuts for you.

>>

>> Chapter one: protection.

>>

>> In the Group and Policy Manager; make sure to edit the Default Domain

>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>> Policy.

>>

>> Define the Account lockout duration to be not defined

>> Account lockout threshold: 0 invalid logon attempts

>> Reset account lockout counter after: not defined

>>

>> Now your accounts will no longer be locked out. Be careful, as this also

>> allows the hacker to run his tools now unlimitedly against the accounts.

>> (the lockout slowed him down considerably). I'm only proposing this as

>> you point our that you fear losing your administrative accounts, but put

>> this lockout threshold back in place a.s.a.p. if you decide to go this

>> route in the first place.

>>

>>

>> Chapter two: identifying the hacker

>>

>> This we can do by making sure Audit account logon events are being

>> audited correctly. To do this, we again are using Group Policy Management

>> and we'll define the Default Domain Controllers Policy. INthat policy, go

>> to Windows Settings\Security Settings\Local Policies/Audit Policy and

>> make sure to change 'Audit account logon events'. See to it that Success

>> as well as Failure (especially that one) are being logged.

>>

>> To ensure your Domain controllers have the policy applied as quickly as

>> possible you might consider runninf 'GPUpdate /force' from the command

>> prompt on your CD's. Otherwise allow some time to pass.

>>

>> Now each logon event will get logges in the eventlog, with the IP address

>> of the person attempting to logon. The problem is that a user can logon

>> using any domain controller, however; each failed logon on any DC gets

>> 'double checked' by that DC by sending it to the domains PDC emulator (on

>> of the FSMO roles as you may recall) so it makes most sense to check the

>> eventlogs of the PCD emulator Domain Controller. You can easily find out

>> who the PDC emulator is by opening Active Directory User and computers,

>> right-clicking your domain name, and selecting 'operations masters'.

>>

>> The event-ID you are looking for is event: 575, Source: Security,

>> Category: Account Logon.

>>

>> In the Description field you can see the user name of the account being

>> attempted, but more importantly: the IP number of the system from where

>> the attempt is being done.

>>

>>

>> I hope this helps you, sorry for wasting your time if you had already

>> done the above.

>>

>> regards,

>>

>> Paul

>>

>>

>>

>>

>> just bob wrote:

>>> Microsoft wizards please help me as I am desperate. Someone continues to

>>> lock all my admin accounts. My firewall is working properly (allowing

>>> only port 53) so I think the guy is using one of the 120 PC's or another

>>> server on my network to read my user database and identify the admin

>>> accounts and send a command to lock them. We've got the latest Symantec

>>> antivirus corporate edition installed and updated on all the machines

>>> and it's supposed to identify spyware, etc. Why is it so easy for this

>>> guy to do this? I have downloaded all the high priority updates for all

>>> machines, servers and PC's. We've also used the server lockdown tool.

>>> Why doesn't this help? Most importantly, why does Microsoft not give me

>>> more detailed info on which machine this guy is using? The event log

>>> just has a random spoof machine name. Last time he did this he spoofed

>>> the machine name field to say "sorry". I got lucky there was one admin

>>> account he missed and I was able to unlock the accounts. Next time I

>>> fear I will not be so lucky.

>>>

>>> If there is a better group or forum to use or consultant I can call to

>>> get help please advise.

>

>

[Guest Roger Abell [MVP]]

Re: Hacker locking my accounts

 

If the person created a domain account then they likely

aleady do have domain admin and really did not need

to set up red flags by causing an entry named sorry in

the list of domain admin accounts.

 

 

"just bob" <kilbyfan@aol.com> wrote in message

news:47ddc960$0$36352$742ec2ed@news.sonic.net...

> The guy just created a user account called "sorry". Strange he did not

> give it domain admin access.

>

> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>

>> However, reading the below I'm getting a better impression of what is

>> happening. Microsoft IS giving you the correct information to find the

>> person doing this, depending on how you have things running.

>>

>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>> but your mail sounds like your at the end of your rope, and I just want

>> to make sure we've covered all the bases, including the obvious ones.

>>

>> From what your writing this sounds like a brute force password guessing

>> tools that is being used against your administrative accounts. To start

>> there's a few things your can do with group policies to at least make

>> sure you don't get into trouble, while making things harder for the

>> 'hacker'.

>>

>> The following steps are just to 'temporarily protect yourself' while

>> investigating further, to make sure you accounts aren't getting locked

>> out. Again: I'm not trying to sound demeaning, just covering the

>> bases/basics, so I'll go through every step, even though this may be

>> peanuts for you.

>>

>> Chapter one: protection.

>>

>> In the Group and Policy Manager; make sure to edit the Default Domain

>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>> Policy.

>>

>> Define the Account lockout duration to be not defined

>> Account lockout threshold: 0 invalid logon attempts

>> Reset account lockout counter after: not defined

>>

>> Now your accounts will no longer be locked out. Be careful, as this also

>> allows the hacker to run his tools now unlimitedly against the accounts.

>> (the lockout slowed him down considerably). I'm only proposing this as

>> you point our that you fear losing your administrative accounts, but put

>> this lockout threshold back in place a.s.a.p. if you decide to go this

>> route in the first place.

>>

>>

>> Chapter two: identifying the hacker

>>

>> This we can do by making sure Audit account logon events are being

>> audited correctly. To do this, we again are using Group Policy Management

>> and we'll define the Default Domain Controllers Policy. INthat policy, go

>> to Windows Settings\Security Settings\Local Policies/Audit Policy and

>> make sure to change 'Audit account logon events'. See to it that Success

>> as well as Failure (especially that one) are being logged.

>>

>> To ensure your Domain controllers have the policy applied as quickly as

>> possible you might consider runninf 'GPUpdate /force' from the command

>> prompt on your CD's. Otherwise allow some time to pass.

>>

>> Now each logon event will get logges in the eventlog, with the IP address

>> of the person attempting to logon. The problem is that a user can logon

>> using any domain controller, however; each failed logon on any DC gets

>> 'double checked' by that DC by sending it to the domains PDC emulator (on

>> of the FSMO roles as you may recall) so it makes most sense to check the

>> eventlogs of the PCD emulator Domain Controller. You can easily find out

>> who the PDC emulator is by opening Active Directory User and computers,

>> right-clicking your domain name, and selecting 'operations masters'.

>>

>> The event-ID you are looking for is event: 575, Source: Security,

>> Category: Account Logon.

>>

>> In the Description field you can see the user name of the account being

>> attempted, but more importantly: the IP number of the system from where

>> the attempt is being done.

>>

>>

>> I hope this helps you, sorry for wasting your time if you had already

>> done the above.

>>

>> regards,

>>

>> Paul

>>

>>

>>

>>

>> just bob wrote:

>>> Microsoft wizards please help me as I am desperate. Someone continues to

>>> lock all my admin accounts. My firewall is working properly (allowing

>>> only port 53) so I think the guy is using one of the 120 PC's or another

>>> server on my network to read my user database and identify the admin

>>> accounts and send a command to lock them. We've got the latest Symantec

>>> antivirus corporate edition installed and updated on all the machines

>>> and it's supposed to identify spyware, etc. Why is it so easy for this

>>> guy to do this? I have downloaded all the high priority updates for all

>>> machines, servers and PC's. We've also used the server lockdown tool.

>>> Why doesn't this help? Most importantly, why does Microsoft not give me

>>> more detailed info on which machine this guy is using? The event log

>>> just has a random spoof machine name. Last time he did this he spoofed

>>> the machine name field to say "sorry". I got lucky there was one admin

>>> account he missed and I was able to unlock the accounts. Next time I

>>> fear I will not be so lucky.

>>>

>>> If there is a better group or forum to use or consultant I can call to

>>> get help please advise.

>

>

[Guest Roger Abell [MVP]]

Re: Hacker locking my accounts

 

You have not state what the Windows version is.

It sounds like it must be an older one if there is no IP in the

login failure event messages.

 

 

"just bob" <kilbyfan@aol.com> wrote in message

news:47ddbfa6$0$36366$742ec2ed@news.sonic.net...

> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking

> off as you describe. Also I'm pretty sure I have my logging setup OK as I

> am using a program to copy the logs from the OM to another machine and

> also it sends me an email when it sees a string which indicates an account

> is locked which is forwarded to my Blackberry. So I got the logging but...

> the problem is the guy is making up random names for the machine and it

> does not show me a IP address.

>

> I used wireshark and am capturing all traffic to the ops master. But I do

> not see any unknown IP addresses and I don't know wireshark well enough to

> know how to look for the packets causing the attack to determine if it

> *is* coming from one of my machines.

>

> Thanks again for your help.

>

>

> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>

>> However, reading the below I'm getting a better impression of what is

>> happening. Microsoft IS giving you the correct information to find the

>> person doing this, depending on how you have things running.

>>

>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>> but your mail sounds like your at the end of your rope, and I just want

>> to make sure we've covered all the bases, including the obvious ones.

>>

>> From what your writing this sounds like a brute force password guessing

>> tools that is being used against your administrative accounts. To start

>> there's a few things your can do with group policies to at least make

>> sure you don't get into trouble, while making things harder for the

>> 'hacker'.

>>

>> The following steps are just to 'temporarily protect yourself' while

>> investigating further, to make sure you accounts aren't getting locked

>> out. Again: I'm not trying to sound demeaning, just covering the

>> bases/basics, so I'll go through every step, even though this may be

>> peanuts for you.

>>

>> Chapter one: protection.

>>

>> In the Group and Policy Manager; make sure to edit the Default Domain

>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>> Policy.

>>

>> Define the Account lockout duration to be not defined

>> Account lockout threshold: 0 invalid logon attempts

>> Reset account lockout counter after: not defined

>>

>> Now your accounts will no longer be locked out. Be careful, as this also

>> allows the hacker to run his tools now unlimitedly against the accounts.

>> (the lockout slowed him down considerably). I'm only proposing this as

>> you point our that you fear losing your administrative accounts, but put

>> this lockout threshold back in place a.s.a.p. if you decide to go this

>> route in the first place.

>>

>>

>> Chapter two: identifying the hacker

>>

>> This we can do by making sure Audit account logon events are being

>> audited correctly. To do this, we again are using Group Policy Management

>> and we'll define the Default Domain Controllers Policy. INthat policy, go

>> to Windows Settings\Security Settings\Local Policies/Audit Policy and

>> make sure to change 'Audit account logon events'. See to it that Success

>> as well as Failure (especially that one) are being logged.

>>

>> To ensure your Domain controllers have the policy applied as quickly as

>> possible you might consider runninf 'GPUpdate /force' from the command

>> prompt on your CD's. Otherwise allow some time to pass.

>>

>> Now each logon event will get logges in the eventlog, with the IP address

>> of the person attempting to logon. The problem is that a user can logon

>> using any domain controller, however; each failed logon on any DC gets

>> 'double checked' by that DC by sending it to the domains PDC emulator (on

>> of the FSMO roles as you may recall) so it makes most sense to check the

>> eventlogs of the PCD emulator Domain Controller. You can easily find out

>> who the PDC emulator is by opening Active Directory User and computers,

>> right-clicking your domain name, and selecting 'operations masters'.

>>

>> The event-ID you are looking for is event: 575, Source: Security,

>> Category: Account Logon.

>>

>> In the Description field you can see the user name of the account being

>> attempted, but more importantly: the IP number of the system from where

>> the attempt is being done.

>>

>>

>> I hope this helps you, sorry for wasting your time if you had already

>> done the above.

>>

>> regards,

>>

>> Paul

>>

>>

>>

>>

>> just bob wrote:

>>> Microsoft wizards please help me as I am desperate. Someone continues to

>>> lock all my admin accounts. My firewall is working properly (allowing

>>> only port 53) so I think the guy is using one of the 120 PC's or another

>>> server on my network to read my user database and identify the admin

>>> accounts and send a command to lock them. We've got the latest Symantec

>>> antivirus corporate edition installed and updated on all the machines

>>> and it's supposed to identify spyware, etc. Why is it so easy for this

>>> guy to do this? I have downloaded all the high priority updates for all

>>> machines, servers and PC's. We've also used the server lockdown tool.

>>> Why doesn't this help? Most importantly, why does Microsoft not give me

>>> more detailed info on which machine this guy is using? The event log

>>> just has a random spoof machine name. Last time he did this he spoofed

>>> the machine name field to say "sorry". I got lucky there was one admin

>>> account he missed and I was able to unlock the accounts. Next time I

>>> fear I will not be so lucky.

>>>

>>> If there is a better group or forum to use or consultant I can call to

>>> get help please advise.

>

>

[Guest Tomasz Onyszko]

Re: Hacker locking my accounts

 

just bob wrote:

> ???? The guy spoofs the machine name different every time. Last time he

> called it "sorry"

 

OK - sorry :) I've missed this aprt of Your post

 

--

Tomasz Onyszko

http://www.w2k.pl/ - (PL)

http://blogs.dirteam.com/blogs/tomek/ - (EN)

[Guest Paul Weterings]

Re: Hacker locking my accounts

 

The auditing settings I described logs -an IP address- in the event log

of your PDC DC comptroller, which I think is what you are looking for.

Are you really sure you've got your auditing set up correctly using

group policy?

 

Once you have the IP address, we're ready for the next step... getting

even ;-)

 

b.t.w. There is no 'lock' packet, the only way to lock an account is to

attempt to login with the wrong credentials a number of times.

 

with regards to WireShark; you could filter out Kerberos and/or NTLM, as

these take care of authentication. The rest can be left out.

 

cheers,

 

Paul

 

just bob wrote:

> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking off

> as you describe. Also I'm pretty sure I have my logging setup OK as I am

> using a program to copy the logs from the OM to another machine and also it

> sends me an email when it sees a string which indicates an account is locked

> which is forwarded to my Blackberry. So I got the logging but... the problem

> is the guy is making up random names for the machine and it does not show me

> a IP address.

>

> I used wireshark and am capturing all traffic to the ops master. But I do

> not see any unknown IP addresses and I don't know wireshark well enough to

> know how to look for the packets causing the attack to determine if it *is*

> coming from one of my machines.

>

> Thanks again for your help.

>

>

> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>

>> However, reading the below I'm getting a better impression of what is

>> happening. Microsoft IS giving you the correct information to find the

>> person doing this, depending on how you have things running.

>>

>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>> but your mail sounds like your at the end of your rope, and I just want to

>> make sure we've covered all the bases, including the obvious ones.

>>

>> From what your writing this sounds like a brute force password guessing

>> tools that is being used against your administrative accounts. To start

>> there's a few things your can do with group policies to at least make sure

>> you don't get into trouble, while making things harder for the 'hacker'.

>>

>> The following steps are just to 'temporarily protect yourself' while

>> investigating further, to make sure you accounts aren't getting locked

>> out. Again: I'm not trying to sound demeaning, just covering the

>> bases/basics, so I'll go through every step, even though this may be

>> peanuts for you.

>>

>> Chapter one: protection.

>>

>> In the Group and Policy Manager; make sure to edit the Default Domain

>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>> Policy.

>>

>> Define the Account lockout duration to be not defined

>> Account lockout threshold: 0 invalid logon attempts

>> Reset account lockout counter after: not defined

>>

>> Now your accounts will no longer be locked out. Be careful, as this also

>> allows the hacker to run his tools now unlimitedly against the accounts.

>> (the lockout slowed him down considerably). I'm only proposing this as you

>> point our that you fear losing your administrative accounts, but put this

>> lockout threshold back in place a.s.a.p. if you decide to go this route in

>> the first place.

>>

>>

>> Chapter two: identifying the hacker

>>

>> This we can do by making sure Audit account logon events are being audited

>> correctly. To do this, we again are using Group Policy Management and

>> we'll define the Default Domain Controllers Policy. INthat policy, go to

>> Windows Settings\Security Settings\Local Policies/Audit Policy and make

>> sure to change 'Audit account logon events'. See to it that Success as

>> well as Failure (especially that one) are being logged.

>>

>> To ensure your Domain controllers have the policy applied as quickly as

>> possible you might consider runninf 'GPUpdate /force' from the command

>> prompt on your CD's. Otherwise allow some time to pass.

>>

>> Now each logon event will get logges in the eventlog, with the IP address

>> of the person attempting to logon. The problem is that a user can logon

>> using any domain controller, however; each failed logon on any DC gets

>> 'double checked' by that DC by sending it to the domains PDC emulator (on

>> of the FSMO roles as you may recall) so it makes most sense to check the

>> eventlogs of the PCD emulator Domain Controller. You can easily find out

>> who the PDC emulator is by opening Active Directory User and computers,

>> right-clicking your domain name, and selecting 'operations masters'.

>>

>> The event-ID you are looking for is event: 575, Source: Security,

>> Category: Account Logon.

>>

>> In the Description field you can see the user name of the account being

>> attempted, but more importantly: the IP number of the system from where

>> the attempt is being done.

>>

>>

>> I hope this helps you, sorry for wasting your time if you had already done

>> the above.

>>

>> regards,

>>

>> Paul

>>

>>

>>

>>

>> just bob wrote:

>>> Microsoft wizards please help me as I am desperate. Someone continues to

>>> lock all my admin accounts. My firewall is working properly (allowing

>>> only port 53) so I think the guy is using one of the 120 PC's or another

>>> server on my network to read my user database and identify the admin

>>> accounts and send a command to lock them. We've got the latest Symantec

>>> antivirus corporate edition installed and updated on all the machines and

>>> it's supposed to identify spyware, etc. Why is it so easy for this guy to

>>> do this? I have downloaded all the high priority updates for all

>>> machines, servers and PC's. We've also used the server lockdown tool. Why

>>> doesn't this help? Most importantly, why does Microsoft not give me more

>>> detailed info on which machine this guy is using? The event log just has

>>> a random spoof machine name. Last time he did this he spoofed the machine

>>> name field to say "sorry". I got lucky there was one admin account he

>>> missed and I was able to unlock the accounts. Next time I fear I will not

>>> be so lucky.

>>>

>>> If there is a better group or forum to use or consultant I can call to

>>> get help please advise.

>

>

[Guest just bob]

Re: Hacker locking my accounts

 

Aha, I get it. I will change our settings for more details. And I gotta get

better at understanding the wireshark data!

 

Thanks again

 

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

news:47de728e$0$31449$e4fe514c@dreader15.news.xs4all.nl...

> The auditing settings I described logs -an IP address- in the event log of

> your PDC DC comptroller, which I think is what you are looking for. Are

> you really sure you've got your auditing set up correctly using group

> policy?

>

> Once you have the IP address, we're ready for the next step... getting

> even ;-)

>

> b.t.w. There is no 'lock' packet, the only way to lock an account is to

> attempt to login with the wrong credentials a number of times.

>

> with regards to WireShark; you could filter out Kerberos and/or NTLM, as

> these take care of authentication. The rest can be left out.

>

> cheers,

>

> Paul

>

> just bob wrote:

>> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking

>> off as you describe. Also I'm pretty sure I have my logging setup OK as I

>> am using a program to copy the logs from the OM to another machine and

>> also it sends me an email when it sees a string which indicates an

>> account is locked which is forwarded to my Blackberry. So I got the

>> logging but... the problem is the guy is making up random names for the

>> machine and it does not show me a IP address.

>>

>> I used wireshark and am capturing all traffic to the ops master. But I do

>> not see any unknown IP addresses and I don't know wireshark well enough

>> to know how to look for the packets causing the attack to determine if it

>> *is* coming from one of my machines.

>>

>> Thanks again for your help.

>>

>>

>> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

>> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>>

>>> However, reading the below I'm getting a better impression of what is

>>> happening. Microsoft IS giving you the correct information to find the

>>> person doing this, depending on how you have things running.

>>>

>>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>>> but your mail sounds like your at the end of your rope, and I just want

>>> to make sure we've covered all the bases, including the obvious ones.

>>>

>>> From what your writing this sounds like a brute force password guessing

>>> tools that is being used against your administrative accounts. To start

>>> there's a few things your can do with group policies to at least make

>>> sure you don't get into trouble, while making things harder for the

>>> 'hacker'.

>>>

>>> The following steps are just to 'temporarily protect yourself' while

>>> investigating further, to make sure you accounts aren't getting locked

>>> out. Again: I'm not trying to sound demeaning, just covering the

>>> bases/basics, so I'll go through every step, even though this may be

>>> peanuts for you.

>>>

>>> Chapter one: protection.

>>>

>>> In the Group and Policy Manager; make sure to edit the Default Domain

>>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>>> Policy.

>>>

>>> Define the Account lockout duration to be not defined

>>> Account lockout threshold: 0 invalid logon attempts

>>> Reset account lockout counter after: not defined

>>>

>>> Now your accounts will no longer be locked out. Be careful, as this also

>>> allows the hacker to run his tools now unlimitedly against the accounts.

>>> (the lockout slowed him down considerably). I'm only proposing this as

>>> you point our that you fear losing your administrative accounts, but put

>>> this lockout threshold back in place a.s.a.p. if you decide to go this

>>> route in the first place.

>>>

>>>

>>> Chapter two: identifying the hacker

>>>

>>> This we can do by making sure Audit account logon events are being

>>> audited correctly. To do this, we again are using Group Policy

>>> Management and we'll define the Default Domain Controllers Policy.

>>> INthat policy, go to Windows Settings\Security Settings\Local

>>> Policies/Audit Policy and make sure to change 'Audit account logon

>>> events'. See to it that Success as well as Failure (especially that one)

>>> are being logged.

>>>

>>> To ensure your Domain controllers have the policy applied as quickly as

>>> possible you might consider runninf 'GPUpdate /force' from the command

>>> prompt on your CD's. Otherwise allow some time to pass.

>>>

>>> Now each logon event will get logges in the eventlog, with the IP

>>> address of the person attempting to logon. The problem is that a user

>>> can logon using any domain controller, however; each failed logon on any

>>> DC gets 'double checked' by that DC by sending it to the domains PDC

>>> emulator (on of the FSMO roles as you may recall) so it makes most sense

>>> to check the eventlogs of the PCD emulator Domain Controller. You can

>>> easily find out who the PDC emulator is by opening Active Directory User

>>> and computers, right-clicking your domain name, and selecting

>>> 'operations masters'.

>>>

>>> The event-ID you are looking for is event: 575, Source: Security,

>>> Category: Account Logon.

>>>

>>> In the Description field you can see the user name of the account being

>>> attempted, but more importantly: the IP number of the system from where

>>> the attempt is being done.

>>>

>>>

>>> I hope this helps you, sorry for wasting your time if you had already

>>> done the above.

>>>

>>> regards,

>>>

>>> Paul

>>>

>>>

>>>

>>>

>>> just bob wrote:

>>>> Microsoft wizards please help me as I am desperate. Someone continues

>>>> to lock all my admin accounts. My firewall is working properly

>>>> (allowing only port 53) so I think the guy is using one of the 120 PC's

>>>> or another server on my network to read my user database and identify

>>>> the admin accounts and send a command to lock them. We've got the

>>>> latest Symantec antivirus corporate edition installed and updated on

>>>> all the machines and it's supposed to identify spyware, etc. Why is it

>>>> so easy for this guy to do this? I have downloaded all the high

>>>> priority updates for all machines, servers and PC's. We've also used

>>>> the server lockdown tool. Why doesn't this help? Most importantly, why

>>>> does Microsoft not give me more detailed info on which machine this guy

>>>> is using? The event log just has a random spoof machine name. Last time

>>>> he did this he spoofed the machine name field to say "sorry". I got

>>>> lucky there was one admin account he missed and I was able to unlock

>>>> the accounts. Next time I fear I will not be so lucky.

>>>>

>>>> If there is a better group or forum to use or consultant I can call to

>>>> get help please advise.

>>

[Guest Paul Weterings]

Re: Hacker locking my accounts

 

To create machine account you do not need to be admin...

 

Bob has (in another thread) mailed that he's found the offender though...

 

Roger Abell [MVP] wrote:

> If the person created a domain account then they likely

> aleady do have domain admin and really did not need

> to set up red flags by causing an entry named sorry in

> the list of domain admin accounts.

>

>

> "just bob" <kilbyfan@aol.com> wrote in message

> news:47ddc960$0$36352$742ec2ed@news.sonic.net...

>> The guy just created a user account called "sorry". Strange he did not

>> give it domain admin access.

>>

>> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

>> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>>

>>> However, reading the below I'm getting a better impression of what is

>>> happening. Microsoft IS giving you the correct information to find the

>>> person doing this, depending on how you have things running.

>>>

>>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>>> but your mail sounds like your at the end of your rope, and I just want

>>> to make sure we've covered all the bases, including the obvious ones.

>>>

>>> From what your writing this sounds like a brute force password guessing

>>> tools that is being used against your administrative accounts. To start

>>> there's a few things your can do with group policies to at least make

>>> sure you don't get into trouble, while making things harder for the

>>> 'hacker'.

>>>

>>> The following steps are just to 'temporarily protect yourself' while

>>> investigating further, to make sure you accounts aren't getting locked

>>> out. Again: I'm not trying to sound demeaning, just covering the

>>> bases/basics, so I'll go through every step, even though this may be

>>> peanuts for you.

>>>

>>> Chapter one: protection.

>>>

>>> In the Group and Policy Manager; make sure to edit the Default Domain

>>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>>> Policy.

>>>

>>> Define the Account lockout duration to be not defined

>>> Account lockout threshold: 0 invalid logon attempts

>>> Reset account lockout counter after: not defined

>>>

>>> Now your accounts will no longer be locked out. Be careful, as this also

>>> allows the hacker to run his tools now unlimitedly against the accounts.

>>> (the lockout slowed him down considerably). I'm only proposing this as

>>> you point our that you fear losing your administrative accounts, but put

>>> this lockout threshold back in place a.s.a.p. if you decide to go this

>>> route in the first place.

>>>

>>>

>>> Chapter two: identifying the hacker

>>>

>>> This we can do by making sure Audit account logon events are being

>>> audited correctly. To do this, we again are using Group Policy Management

>>> and we'll define the Default Domain Controllers Policy. INthat policy, go

>>> to Windows Settings\Security Settings\Local Policies/Audit Policy and

>>> make sure to change 'Audit account logon events'. See to it that Success

>>> as well as Failure (especially that one) are being logged.

>>>

>>> To ensure your Domain controllers have the policy applied as quickly as

>>> possible you might consider runninf 'GPUpdate /force' from the command

>>> prompt on your CD's. Otherwise allow some time to pass.

>>>

>>> Now each logon event will get logges in the eventlog, with the IP address

>>> of the person attempting to logon. The problem is that a user can logon

>>> using any domain controller, however; each failed logon on any DC gets

>>> 'double checked' by that DC by sending it to the domains PDC emulator (on

>>> of the FSMO roles as you may recall) so it makes most sense to check the

>>> eventlogs of the PCD emulator Domain Controller. You can easily find out

>>> who the PDC emulator is by opening Active Directory User and computers,

>>> right-clicking your domain name, and selecting 'operations masters'.

>>>

>>> The event-ID you are looking for is event: 575, Source: Security,

>>> Category: Account Logon.

>>>

>>> In the Description field you can see the user name of the account being

>>> attempted, but more importantly: the IP number of the system from where

>>> the attempt is being done.

>>>

>>>

>>> I hope this helps you, sorry for wasting your time if you had already

>>> done the above.

>>>

>>> regards,

>>>

>>> Paul

>>>

>>>

>>>

>>>

>>> just bob wrote:

>>>> Microsoft wizards please help me as I am desperate. Someone continues to

>>>> lock all my admin accounts. My firewall is working properly (allowing

>>>> only port 53) so I think the guy is using one of the 120 PC's or another

>>>> server on my network to read my user database and identify the admin

>>>> accounts and send a command to lock them. We've got the latest Symantec

>>>> antivirus corporate edition installed and updated on all the machines

>>>> and it's supposed to identify spyware, etc. Why is it so easy for this

>>>> guy to do this? I have downloaded all the high priority updates for all

>>>> machines, servers and PC's. We've also used the server lockdown tool.

>>>> Why doesn't this help? Most importantly, why does Microsoft not give me

>>>> more detailed info on which machine this guy is using? The event log

>>>> just has a random spoof machine name. Last time he did this he spoofed

>>>> the machine name field to say "sorry". I got lucky there was one admin

>>>> account he missed and I was able to unlock the accounts. Next time I

>>>> fear I will not be so lucky.

>>>>

>>>> If there is a better group or forum to use or consultant I can call to

>>>> get help please advise.

>>

>

>

[Guest Al Dunbar]

Re: Hacker locking my accounts

 

 

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

news:47de728e$0$31449$e4fe514c@dreader15.news.xs4all.nl...

> The auditing settings I described logs -an IP address- in the event log of

> your PDC DC comptroller, which I think is what you are looking for. Are

> you really sure you've got your auditing set up correctly using group

> policy?

>

> Once you have the IP address, we're ready for the next step... getting

> even ;-)

>

> b.t.w. There is no 'lock' packet, the only way to lock an account is to

> attempt to login with the wrong credentials a number of times.

 

IMHO, you need not actually attempt to login, you only need to use the

credentials with an incorrect password, which can be done in the context of

a runas command, or using credentials to map a share. This is admitedly a

trivial factoid, however, someone not realizing this might come to some

invalid conclusions.

 

/Al

> with regards to WireShark; you could filter out Kerberos and/or NTLM, as

> these take care of authentication. The rest can be left out.

>

> cheers,

>

> Paul

>

> just bob wrote:

>> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking

>> off as you describe. Also I'm pretty sure I have my logging setup OK as I

>> am using a program to copy the logs from the OM to another machine and

>> also it sends me an email when it sees a string which indicates an

>> account is locked which is forwarded to my Blackberry. So I got the

>> logging but... the problem is the guy is making up random names for the

>> machine and it does not show me a IP address.

>>

>> I used wireshark and am capturing all traffic to the ops master. But I do

>> not see any unknown IP addresses and I don't know wireshark well enough

>> to know how to look for the packets causing the attack to determine if it

>> *is* coming from one of my machines.

>>

>> Thanks again for your help.

>>

>>

>> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

>> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>>

>>> However, reading the below I'm getting a better impression of what is

>>> happening. Microsoft IS giving you the correct information to find the

>>> person doing this, depending on how you have things running.

>>>

>>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>>> but your mail sounds like your at the end of your rope, and I just want

>>> to make sure we've covered all the bases, including the obvious ones.

>>>

>>> From what your writing this sounds like a brute force password guessing

>>> tools that is being used against your administrative accounts. To start

>>> there's a few things your can do with group policies to at least make

>>> sure you don't get into trouble, while making things harder for the

>>> 'hacker'.

>>>

>>> The following steps are just to 'temporarily protect yourself' while

>>> investigating further, to make sure you accounts aren't getting locked

>>> out. Again: I'm not trying to sound demeaning, just covering the

>>> bases/basics, so I'll go through every step, even though this may be

>>> peanuts for you.

>>>

>>> Chapter one: protection.

>>>

>>> In the Group and Policy Manager; make sure to edit the Default Domain

>>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>>> Policy.

>>>

>>> Define the Account lockout duration to be not defined

>>> Account lockout threshold: 0 invalid logon attempts

>>> Reset account lockout counter after: not defined

>>>

>>> Now your accounts will no longer be locked out. Be careful, as this also

>>> allows the hacker to run his tools now unlimitedly against the accounts.

>>> (the lockout slowed him down considerably). I'm only proposing this as

>>> you point our that you fear losing your administrative accounts, but put

>>> this lockout threshold back in place a.s.a.p. if you decide to go this

>>> route in the first place.

>>>

>>>

>>> Chapter two: identifying the hacker

>>>

>>> This we can do by making sure Audit account logon events are being

>>> audited correctly. To do this, we again are using Group Policy

>>> Management and we'll define the Default Domain Controllers Policy.

>>> INthat policy, go to Windows Settings\Security Settings\Local

>>> Policies/Audit Policy and make sure to change 'Audit account logon

>>> events'. See to it that Success as well as Failure (especially that one)

>>> are being logged.

>>>

>>> To ensure your Domain controllers have the policy applied as quickly as

>>> possible you might consider runninf 'GPUpdate /force' from the command

>>> prompt on your CD's. Otherwise allow some time to pass.

>>>

>>> Now each logon event will get logges in the eventlog, with the IP

>>> address of the person attempting to logon. The problem is that a user

>>> can logon using any domain controller, however; each failed logon on any

>>> DC gets 'double checked' by that DC by sending it to the domains PDC

>>> emulator (on of the FSMO roles as you may recall) so it makes most sense

>>> to check the eventlogs of the PCD emulator Domain Controller. You can

>>> easily find out who the PDC emulator is by opening Active Directory User

>>> and computers, right-clicking your domain name, and selecting

>>> 'operations masters'.

>>>

>>> The event-ID you are looking for is event: 575, Source: Security,

>>> Category: Account Logon.

>>>

>>> In the Description field you can see the user name of the account being

>>> attempted, but more importantly: the IP number of the system from where

>>> the attempt is being done.

>>>

>>>

>>> I hope this helps you, sorry for wasting your time if you had already

>>> done the above.

>>>

>>> regards,

>>>

>>> Paul

>>>

>>>

>>>

>>>

>>> just bob wrote:

>>>> Microsoft wizards please help me as I am desperate. Someone continues

>>>> to lock all my admin accounts. My firewall is working properly

>>>> (allowing only port 53) so I think the guy is using one of the 120 PC's

>>>> or another server on my network to read my user database and identify

>>>> the admin accounts and send a command to lock them. We've got the

>>>> latest Symantec antivirus corporate edition installed and updated on

>>>> all the machines and it's supposed to identify spyware, etc. Why is it

>>>> so easy for this guy to do this? I have downloaded all the high

>>>> priority updates for all machines, servers and PC's. We've also used

>>>> the server lockdown tool. Why doesn't this help? Most importantly, why

>>>> does Microsoft not give me more detailed info on which machine this guy

>>>> is using? The event log just has a random spoof machine name. Last time

>>>> he did this he spoofed the machine name field to say "sorry". I got

>>>> lucky there was one admin account he missed and I was able to unlock

>>>> the accounts. Next time I fear I will not be so lucky.

>>>>

>>>> If there is a better group or forum to use or consultant I can call to

>>>> get help please advise.

>>

[Guest Remco]

Re: Hacker locking my accounts

 

I had 2 computers once also that locked out the user a couple of times a day

and network shares were the problem.

check the event log to see if it is the IP address of this computer which

locks out the account.

if so, it is coming from that pc and shares and nethood settings can be a

propable source.

With 1 pc I couldnt track down the actual process so I reinstalled the pc

and the problem was gone also.

 

 

 

"Al Dunbar" <AlanDrub@hotmail.com.nospaam> schreef in bericht

news:e4eDVSPkIHA.1052@TK2MSFTNGP05.phx.gbl...

>

> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

> news:47de728e$0$31449$e4fe514c@dreader15.news.xs4all.nl...

>> The auditing settings I described logs -an IP address- in the event log

>> of your PDC DC comptroller, which I think is what you are looking for.

>> Are you really sure you've got your auditing set up correctly using group

>> policy?

>>

>> Once you have the IP address, we're ready for the next step... getting

>> even ;-)

>>

>> b.t.w. There is no 'lock' packet, the only way to lock an account is to

>> attempt to login with the wrong credentials a number of times.

>

> IMHO, you need not actually attempt to login, you only need to use the

> credentials with an incorrect password, which can be done in the context

> of a runas command, or using credentials to map a share. This is admitedly

> a trivial factoid, however, someone not realizing this might come to some

> invalid conclusions.

>

> /Al

>

>> with regards to WireShark; you could filter out Kerberos and/or NTLM, as

>> these take care of authentication. The rest can be left out.

>>

>> cheers,

>>

>> Paul

>>

>> just bob wrote:

>>> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking

>>> off as you describe. Also I'm pretty sure I have my logging setup OK as

>>> I am using a program to copy the logs from the OM to another machine and

>>> also it sends me an email when it sees a string which indicates an

>>> account is locked which is forwarded to my Blackberry. So I got the

>>> logging but... the problem is the guy is making up random names for the

>>> machine and it does not show me a IP address.

>>>

>>> I used wireshark and am capturing all traffic to the ops master. But I

>>> do not see any unknown IP addresses and I don't know wireshark well

>>> enough to know how to look for the packets causing the attack to

>>> determine if it *is* coming from one of my machines.

>>>

>>> Thanks again for your help.

>>>

>>>

>>> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message

>>> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl...

>>>> Hey Bob, Didn't we talk before on this? I recall advising WireShark.

>>>>

>>>> However, reading the below I'm getting a better impression of what is

>>>> happening. Microsoft IS giving you the correct information to find the

>>>> person doing this, depending on how you have things running.

>>>>

>>>> Forgive me if below I'm going too 'low level', it's pretty basic stuff,

>>>> but your mail sounds like your at the end of your rope, and I just want

>>>> to make sure we've covered all the bases, including the obvious ones.

>>>>

>>>> From what your writing this sounds like a brute force password guessing

>>>> tools that is being used against your administrative accounts. To start

>>>> there's a few things your can do with group policies to at least make

>>>> sure you don't get into trouble, while making things harder for the

>>>> 'hacker'.

>>>>

>>>> The following steps are just to 'temporarily protect yourself' while

>>>> investigating further, to make sure you accounts aren't getting locked

>>>> out. Again: I'm not trying to sound demeaning, just covering the

>>>> bases/basics, so I'll go through every step, even though this may be

>>>> peanuts for you.

>>>>

>>>> Chapter one: protection.

>>>>

>>>> In the Group and Policy Manager; make sure to edit the Default Domain

>>>> Policy and go to the Windows Settings\Security Settings\Account Lockout

>>>> Policy.

>>>>

>>>> Define the Account lockout duration to be not defined

>>>> Account lockout threshold: 0 invalid logon attempts

>>>> Reset account lockout counter after: not defined

>>>>

>>>> Now your accounts will no longer be locked out. Be careful, as this

>>>> also allows the hacker to run his tools now unlimitedly against the

>>>> accounts. (the lockout slowed him down considerably). I'm only

>>>> proposing this as you point our that you fear losing your

>>>> administrative accounts, but put this lockout threshold back in place

>>>> a.s.a.p. if you decide to go this route in the first place.

>>>>

>>>>

>>>> Chapter two: identifying the hacker

>>>>

>>>> This we can do by making sure Audit account logon events are being

>>>> audited correctly. To do this, we again are using Group Policy

>>>> Management and we'll define the Default Domain Controllers Policy.

>>>> INthat policy, go to Windows Settings\Security Settings\Local

>>>> Policies/Audit Policy and make sure to change 'Audit account logon

>>>> events'. See to it that Success as well as Failure (especially that

>>>> one) are being logged.

>>>>

>>>> To ensure your Domain controllers have the policy applied as quickly as

>>>> possible you might consider runninf 'GPUpdate /force' from the command

>>>> prompt on your CD's. Otherwise allow some time to pass.

>>>>

>>>> Now each logon event will get logges in the eventlog, with the IP

>>>> address of the person attempting to logon. The problem is that a user

>>>> can logon using any domain controller, however; each failed logon on

>>>> any DC gets 'double checked' by that DC by sending it to the domains

>>>> PDC emulator (on of the FSMO roles as you may recall) so it makes most

>>>> sense to check the eventlogs of the PCD emulator Domain Controller. You

>>>> can easily find out who the PDC emulator is by opening Active Directory

>>>> User and computers, right-clicking your domain name, and selecting

>>>> 'operations masters'.

>>>>

>>>> The event-ID you are looking for is event: 575, Source: Security,

>>>> Category: Account Logon.

>>>>

>>>> In the Description field you can see the user name of the account being

>>>> attempted, but more importantly: the IP number of the system from where

>>>> the attempt is being done.

>>>>

>>>>

>>>> I hope this helps you, sorry for wasting your time if you had already

>>>> done the above.

>>>>

>>>> regards,

>>>>

>>>> Paul

>>>>

>>>>

>>>>

>>>>

>>>> just bob wrote:

>>>>> Microsoft wizards please help me as I am desperate. Someone continues

>>>>> to lock all my admin accounts. My firewall is working properly

>>>>> (allowing only port 53) so I think the guy is using one of the 120

>>>>> PC's or another server on my network to read my user database and

>>>>> identify the admin accounts and send a command to lock them. We've got

>>>>> the latest Symantec antivirus corporate edition installed and updated

>>>>> on all the machines and it's supposed to identify spyware, etc. Why is

>>>>> it so easy for this guy to do this? I have downloaded all the high

>>>>> priority updates for all machines, servers and PC's. We've also used

>>>>> the server lockdown tool. Why doesn't this help? Most importantly, why

>>>>> does Microsoft not give me more detailed info on which machine this

>>>>> guy is using? The event log just has a random spoof machine name. Last

>>>>> time he did this he spoofed the machine name field to say "sorry". I

>>>>> got lucky there was one admin account he missed and I was able to

>>>>> unlock the accounts. Next time I fear I will not be so lucky.

>>>>>

>>>>> If there is a better group or forum to use or consultant I can call to

>>>>> get help please advise.

>>>

>