Re: Active Directory Lockout Log Tools

[Kevin Ledbetter <kevin.ledbetter () VALPO EDU>]

We use ManageEngine's ADAudit.  Most of our lockouts are from users
changing their passwords on our in-house password management system while
being logged into other PC's with cached credentials.  ADAudit makes it
easy to identify the PC without needing to look through Event logs on
multiple DCs.


On Mon, Oct 29, 2018 at 12:43 PM Childs, Aaron <aaron () westfield ma edu>
wrote:

> Good Afternoon Justin,
>
>
>
> We too have been experiencing an increased occurrence of account
> lockouts.  We found many connections originating from Russia, Iran, Brazil,
> and Mexico were attempting brute force attacks on the IMAP service to our
> Exchange environment.  We found this by reports from our load balancer (to
> point us to IMAP) then we setup a logging rule on our firewall which showed
> us the originating IPs.
>
>
>
> Have a good day,
> Aaron
>
>
>
> *Aaron Childs*, Director
>
> [image: cid:image006.jpg@01D2D928.B291E230]
>
> Infrastructure Services
>
> *Information Technology Services*
>
> Wilson Hall - 577 Western Ave. Westfield MA 01086
>
> *P*  413.572.*5527*   *F* 413.572.5615
>
> aaron () westfield ma edu
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Justin Hensley
> *Sent:* Monday, October 29, 2018 11:38 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Active Directory Lockout Log Tools
>
>
>
> Caution External Email: This email originated outside of WSU. Do not
> click links, open attachments, or respond if it appears to be suspicious.
>
> Hello All:
>
> We have been encountering an increased occurrence of user accounts being
> locked due to our AD lockout policy.  In the past, almost all of these
> issues have been due to a user having a bad password in one of our
> university systems that kept attempting to autologin and caused the
> lockout.  However, we now believe that attackers are attempting to brute
> force the password with a known username on some accounts.  Would anyone
> have an suggestions on a quicker way to track this activity back to an IP
> than sorting through all the AD logs?  Are there any tools out there to
> help with this?
>
>
>
> Thanks.
>
>
>
> *Justin O. Hensley, CEH, CISSP*
> University of the Cumberlands
> Director of Information Security
> Division of Information Services
> Gatliff Administration Building | Lower Level | Room 008
> 104 Maple Street, Williamsburg, KY, 40769
> 606.539.4197 Office | 606.280.3114 Mobile | 606.539.4144 Fax
> justin.hensley () ucumberlands edu
>
> www.ucumberlands.edu
>
>
>
> CONFIDENTIALITY: This email (including any attachments) may contain
> confidential, proprietary and privileged information, and unauthorized
> disclosure or use is prohibited. If you received this email in error,
> please notify the sender and delete this email from your system. Thank you.


-- 
Kevin Ledbetter
Systems Security Administrator
Office of Information Technology
Valparaiso University
1700 Chapel Drive
Valparaiso, IN 46383
219.464.6191
Staff Employee Advocacy Council
University Council - Executive Committee
Kevin.Ledbetter () valpo edu