mass account lockout: event id 539, 681

[smileyca2002]

Hello all,
Recently I am seeing all my user accounts get lockout over night. I checked the event viewer and noticed that there are two events 529 and 681 and see the following: "the logone to account: test111 by MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: XYZ failed. The error code was 3221225578.
I've check MS but no luck on the remedy, it just tell me that account is lockout due to bad username or password etc. The problem is ALL my user accounts get lockout. It seems like a brute force attempt at password cracking because each of my user account were lockout in 4 sec interval.

I have set up group policy to lockout if there are five bad attempts. I see someone have posted this problem for windows nt 4 but there is no solution.

http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/19/pid/55/qid/418282

for those interested.

If anyone have any suggestion, please please write. I appreciate any input.


Thanks to all.

Diana

 

[kameleon80]

I would have to agree with you and go with brute force attack. The attacker probably ain't tryin to get in but rather be more of a pest and lock out all the accounts so that you and/or others have to unlock them. Thus wasting time on your part.

I don't really have a solution to this but the only advise I can give you on this is to keep a close watch out on your event viewer for any successful logons around this time.

Good Luck

John

 

[karmic]

this of any help?

http://support.microsoft.com/?kbid=272594

~ Whether you think you can or can't, you're right. Henry Ford~

 

[ysk9818]

I am having the same problem as well where all the user accounts got lock out due to 5 bad login attemps.

I read something called "Null session" attack on window NT and 2000 in which hackers can utilize the "null session" to get domain user names with blank username and password. Similar to anonymous log on.

To Test if ur Server is vulnerable.

http://www.loxbox.net

has a software tool called InternetPeriscope and explaination about "NULL Session" attack. Make sure u read the entire article how to test if ur server is vulnerable to "NUll Session" attack.

More detail article posted by

http://www.securityfocus.com

Please do a search on Restrict Anonymous or null session on securityfocus.com because i forgot the exact link (sorry)

I have implemented to restrict Null Session yesterday and there was no account locked out this morning. Hope this help. if u have any question let me know.

Thank

 

[smileyca2002]

Hi ysk9818,
Thanks for your post. I secure my server for the null session attack and it worked great... for a few days. As the artical at securityfocus (

http://www.secuirtyfocus.com/infocus/1352)

indicated that problems may arise, it did in my case. At anyrate, I find the script file posted on another forum on this site extremely helpful. Hope this will help someone else.

Below is the script by thedorknextdoor



On Error Resume Next
strComputer = "yourservername"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2&quot
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount",,48)
count = 0
countUnlock = 0
For Each objItem in colItems
if objItem.Lockout=True then
count = count + 1
'Wscript.Echo "Description: " & objItem.Description
'Wscript.Echo "Disabled: " & objItem.Disabled
'Wscript.Echo "FullName: " & objItem.FullName
'Wscript.Echo "Lockout: " & objItem.Lockout
'Wscript.Echo "Name: " & objItem.Name
'Wscript.Echo "PasswordChangeable: " & objItem.PasswordChangeable
'Wscript.Echo "PasswordExpires: " & objItem.PasswordExpires
'Wscript.Echo "PasswordRequired: " & objItem.PasswordRequired
'Wscript.Echo "-----------------------------------------------------------"
response = msgbox("Unlock: " & objItem.Name,[vbOkCancel])
if response = vbOK then
Set UsrObj = GetObject("WinNT://yourdomainsuffix/" & objItem.Name)
If UsrObj.IsAccountLocked = TRUE Then
UsrObj.IsAccountLocked = FALSE
UsrObj.SetInfo
countUnlock = countUnlock + 1
End If
end if

end if
Next
msgbox "Locked: "& count & " Unlocked: "& countUnlock