How to catch someone deliberately locking someone elses account

T

Terry

W2K AD, all auditing enabled, general access student labs.
Is there an easy way to make the event log send an email
notification to an administrator when a harrassed
person's account is accessed with a failed logon attempt,
account lockout, etc. Culprit could be caught if timely
event check, but difficult to justify watching the water
boil type event monitoring.
zero budget, so any app would need to be freeware.
Your thoughts apprec.
 
S

Steven L Umbach

I know of know way to do that with native W2K. You may want to install the
acctinfo.dll that will add an extra page to users account properties that will tell
you when the account was locked out. Then you could examine you security logs,
possibly using EventComb, for lockouts at that particular time. The log should show
the source domain computer that the logon attempt came from and you can go from
there. I would also have users sign a computer user policy that states what the
consequences of malicious behavior like this would be. --- Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
http://tinyurl.com/a5zj --- Same link as above, shorter on account lockout
tools/whitepaper.
http://tinyurl.com/gt83
 
K

Karl Levinson [x y] mvp

Keep in mind that this might not be an attack. A very common cause is the
user's password changed recently, and she is logged into more than one
workstation or there is a Windows service or a network drive letter mapping
within Windows on one of the computers with an old cached password.

Besides the name of the account being "attacked," Windows auditing will only
tell you the netbios computer name it came from. If the computer is not on
the network, you may have trouble finding out where it actually came from.
You may want to start logging IP traffic to your domain controllers using
routers, switches, sniffers or firewalls. This is the only way I know of to
get the source IP address of the machine in question prior to Windows 2003
Server. Ethereal is a free sniffer, and www.kerio.com and www.sygate.com
are free firewalls.

http://securityadmin.info/faq.htm#sniffer

Commands such as: NETSTAT -A ipaddress might also be helpful.

The getacct utility free from www.securityfriday.com can let you enumerate a
bunch of information from a windows computer remotely, such as all the login
IDs set up on it, which may also be informative.

All of these only work as long as the computer is still reachable on the
network.

You could also choose to try sending a popup message to the computer using
the NET
SEND computername "message" command.
 
S

Steven L Umbach

I think you may be have meant the nbtstat -A ip address command? The newer
Superscan v4.0 from Foundstone also does a whole lot more than the old one
including a page on enumerating a bunch of stuff. --- Steve

http://tinyurl.com/cvsi -- link to Superscan v4.0


Karl Levinson [x y] mvp said:
http://securityadmin.info/faq.htm#sniffer

Commands such as: NETSTAT -A ipaddress might also be helpful.

The getacct utility free from www.securityfriday.com can let you enumerate a
bunch of information from a windows computer remotely, such as all the login
IDs set up on it, which may also be informative.

All of these only work as long as the computer is still reachable on the
network.

You could also choose to try sending a popup message to the computer using
the NET
SEND computername "message" command.



Terry said:
W2K AD, all auditing enabled, general access student labs.
Is there an easy way to make the event log send an email
notification to an administrator when a harrassed
person's account is accessed with a failed logon attempt,
account lockout, etc. Culprit could be caught if timely
event check, but difficult to justify watching the water
boil type event monitoring.
zero budget, so any app would need to be freeware.
Your thoughts apprec.
Click to expand...
Click to expand...
 
K

Karl Levinson [x y] mvp

You are of course right, it was late and I was multitasking. NBTSTAT -A is
the right command.


Steven L Umbach said:
I think you may be have meant the nbtstat -A ip address command? The newer
Superscan v4.0 from Foundstone also does a whole lot more than the old one
including a page on enumerating a bunch of stuff. --- Steve

http://tinyurl.com/cvsi -- link to Superscan v4.0


Karl Levinson [x y] mvp said:
http://securityadmin.info/faq.htm#sniffer

Commands such as: NETSTAT -A ipaddress might also be helpful.
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How To Get 1 Million Visitors Without Paying A Dime In Advertising 0
FWT Newsletter - Weekly - November 17, 2003 0

Top