All Domain Admin Accounts Locked

W

William Flavin

Over the past couple of weeks I've noticed the Security Event Log on
one of my Windows 2000 Domain Controllers filling up with these
events:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/19/2003
Time: 2:48:52 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX-XXX
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: (an account in the domain admin group)
Domain: CHRISTO
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CHRISTO


There are dozens of these events as it seems to attempt a logon with
every username in the domain admins group, locking out each account.
As I said this happens once or twice a day. This server does not run
any web services and is not NATed to any public address in our
router/firewall. I just can't figure out where these logon attempts
are coming from. The Domain and Workstations listed in the events are
not from our network. These attempts must be coming from the internet,
but I can't figure out how. We do have some systems NATed to public
addresses, Win2K web servers and DNS servers running Linux. The server
in question has Service Pack 4 and is fully up-to-date with Windows
Updates. I've been searching for help with this, but haven't found any
meaningful information. I hope someone might have some insight. Thanks
in advance.
 
L

Lanwench [MVP - Exchange]

What inbound ports do you have open in your firewall? Any wireless
networking at all?
 
L

Lanwench [MVP - Exchange]

Are authenticated users allowed to relay? If you don't have any POP users,
uncheck that...just one thing to look at. I'd post in m.p.exchange for more
info on how to get detailed logging set up...

William said:
There are no ports open to this server from the firewall/router. As I
stated above, we do have other servers with ports open to the
internet. Web servers with ports 80 and 443 open. Linux DSN servers
with port 53 open and VPN servers only open to GRE and port 1723.
Also, one Exchange server with ports 25 and 80 open. That's it. No
wireless equipment is in use.

One other thing I want to mention is that the event logs show attempts
from many different machine names. It never seems to be the same
machine name making these attempts. I would like to find some way to
log the source IP of these attempts, but I haven't figured it out yet.


"Lanwench [MVP - Exchange]"
What inbound ports do you have open in your firewall? Any wireless
networking at all?
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Password checking is running-please help 3
537 errors due to manual services being started 0
Unexplained 540 Events in Security log on W2K workstation in a dom 0
680 & 529 Failure Audits 1
Security Event 529 1
Failure Audit Question 2
Security Event ID 529 & 681 / source= outside domains 1
Help, strange failed login attempt 1

Top