RE: Locked out local admin accounts...

["Ed Spencer" <espencer () usa net>]

It's going to sound crazy, and everyone can smack me if they like...
but...

Are you logging attempts on the local machines and not just the domains?
Often logging is set up on log in/out only on the domain controllers and
not the local workstations.

I'd also check to see if net use attempts against IPC$ are logged
properly (under older MS OS's they usually aren't).

You can check by performing 'net use \\remotemachine\ipc$
/user:remotemachine\administrator'

And then reviewing the logs on remotemachine for the attempt.

My guess is that someone is attempting to slowly brute the local admin
accounts or you have a script/service that uses an 'old' admin password
that's kicking off and eventually locking the accounts.  An example
would be what used to happen with Microsoft's SMS (ver. 1.x) if you
specified an account for use and then later changed the password (but
not within the service).  If you changed passwords recently I'd start
with anything that accesses machines remotely (backups, etc).


Good Luck,
Ed Spencer
Network Administrator
Aramark Corporation
Denali National Park.



-----Original Message-----
From: Ryan Murphy [mailto:RMurphy () irvinecompany com] 
Sent: Wednesday, August 11, 2004 2:22 PM
To: 'security-basics () securityfocus com'
Subject: Locked out local admin accounts...

In our environment today, local administrator accounts on workstations
and
servers have been getting locked out at an alarming rate. Nothing crazy
is
standing out on the IDS, and the security logs on the machines that are
having the administrator account locked out aren't showing any login
attempts. What could be going on here? We're a Win2000 environment, and
domain accounts seem to be unaffected, it's only the local administrator
accounts that are getting locked.

This is very bizarre.

Thanks for your help,

Ryan Murphy


 
============================= 
Notice to recipient:  This e-mail is meant for only the intended
recipient
of the transmission, and may be a confidential communication or a
communication privileged by law.  If you received this e-mail in error,
any
review, use, dissemination, distribution, or copying of this e-mail is
strictly prohibited.  Please notify us immediately of the error by
return
e-mail and please delete this message from your system.  Thank you in
advance for your cooperation. 

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.734 / Virus Database: 488 - Release Date: 8/4/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.734 / Virus Database: 488 - Release Date: 8/4/2004
 



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------