I feel I should give a little background on my company's situation before
continuing. Our "admin" (quoted because he is a consultant who doesn't
deserve the title) does a very bad job of securing our network. Security
by obscurity seems to be his way of thinking in regard to us... nobody
knows about us, so nobody will hack us, right? One eye-opening example of
his attitude is the admin password on our server (the server in question).
It was blank (that's right, NO password) until I complained enough to get
it changed. I have so many more, but that one fits the bill.

>1) If your users have signed on and
>ignored the "You password is about to
>expire, Do you want to change it now?"
>dialog and said no, then left their
>machines on, it will keep trying to
>use the password they gave it at the
>beginning of the session.

This is not the case, since most of the users don't have to change their
passwords. Most of them are set to never expire... that's another thing
that will change in the future.

>2) Since it is happening only on 98
>machines, that makes me think of the
>Windows Password. Some of my people
>changed their password while offline
>or at home, and subsequently, the
>domain password didn't change, just the
>Windows Password. This got them out
>of sync, and they had to type in two
>passwords to get in when they reconnected
>to the net. (The "old" domain
>password, and the "new" Windows password.)
>I doubt you would have done
>this, but it may somehow be related.

This happens quite frequently with users that actually have to
change their passwords (but in the reverse order). They change their
domain password but not their Windows password. I've got a few trained.
You are right in assuming this is not the case with me, and I'm sure this
is not the problem either.

>Also, this could be the result of an
>attack. If someone gained access to
>a list of login names (perhaps a
>former employee) and is going through
>the list trying to guess or brute
>force a password, this could lead to
>account lockout. Do you have security
>auditing enabled and are you logging
>successful and failed login attempts?

I don't think it is an attack, but I don't have proof otherwise. I'm still
looking into IDS and sniffing. It happens too infrequently and
sporadically in my opinion. We didn't have any auditing enabled, but I
just enabled successful and failed login attempts. Maybe that
will turn up something.

>I hope this helps.
>WPM

I appreciate it.

>Most likely it's a lockout from invalid
>password attempts. This happens to us
>with users who move from desk to desk and
>don't notice the username isn't theirs in
>the login box. The other possibility is
>someone is running a brute force account
>attack on your server. If you've run a
>security audit tool, sometimes they default
>to check common password combinations on a
>domain which may also trigger the lockouts.
>
>Mike MacNeill

As mentioned above, I have now enabled logging of successful and failed
login attempts, so we shall see... We haven't run any security audit
tools lately or ever... The only thing along those lines I have ever done
is a port scan. That will change soon.

You guys must be disgusted with this insecure network... I know I am.
Thanks again for your suggestions!

Dave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]