Security Help 2003 please

Black Hat

Black Hat

Black Hat

Permabanned
Joined
15 Apr 2009
Posts
264
Hi all,

Fairly new to Server 2003 but i keep getting this problem whereby my user account gets locked out overnight i can only assume its a collegue or an attack of somkind on our server, we are using remote desktop and without dissrupting everyone else is there anyway to increase security on the server/stop this from happening. I have checked the logs and all it says is ANNONOMOUS LOGON and under the categorie it says Logon/Logoff. If a collegue or myself logs on it has our username so i can only assume its a hack attempt or something similar.

Cheers

BH
 
If group policy enforces password changes periodically then you could have a dead terminal services session lying around locking your account out periodically (it continues to attempt authentication using your "old" credentials).

Get someone to pull the security event logs from a domain controller on your network and get them to look for failure audits for your login, it'll tell you where the rogue logins are coming from and go from there.

--
Richard.
 
richardbirks said:
If group policy enforces password changes periodically then you could have a dead terminal services session lying around locking your account out periodically (it continues to attempt authentication using your "old" credentials).

Get someone to pull the security event logs from a domain controller on your network and get them to look for failure audits for your login, it'll tell you where the rogue logins are coming from and go from there.

--
Richard.
Click to expand...

Cheers ive looked at all the logs and theres no failed logon atempts which is confusing.
 
Definitely sounds like some kind of scheduled event is trying to authenticate against your user account but with a blank or old password.

Any scheduled tasks set up for overnight which are trying to use your account?
 
If you disconnect your desktop from the network (literally pull the ethernet cable out) then reboot - can you login with cached credentials?

If so then your password on the domain is definately either being changed or locked out by something.
 
Irrespective of what's doing it, getting a helpful sys-admin to look through the security event logs on one (or several) of your domain controllers for failure audits for your account is going to be the best starting point. A server name, or IP address may well jog your memory. It could be all sorts of things locking it out, such as:

  • Rogue terminal service session
  • Scheduled task
  • Mapped drive
  • Running a service using your named account credentials
  • Someone who hates you and wants to boil your bunny (ok, maybe not)
--
Richard
 
richardbirks said:
Irrespective of what's doing it, getting a helpful sys-admin to look through the security event logs on one (or several) of your domain controllers for failure audits for your account is going to be the best starting point. A server name, or IP address may well jog your memory. It could be all sorts of things locking it out, such as:

  • Rogue terminal service session
  • Scheduled task
  • Mapped drive
  • Running a service using your named account credentials
  • Someone who hates you and wants to boil your bunny (ok, maybe not)
--
Richard
Click to expand...

Thanks ive checked all these, the log reports no failed account logon attempts so it point towards something running trying to authenticate for now ive just turn off the account lockout polict as i dont hae time to waste figuring this out, from a quick look there absoloutly nothing left runing onmy account oh well nvm. Thanks for your all your help guys.
 
You must log in or register to reply here.
Back
Top Bottom