Keep in mind that this might not be an attack. A very common cause is the
user's password changed recently, and she is logged into more than one
workstation or there is a Windows service or a network drive letter mapping
within Windows on one of the computers with an old cached password.
Besides the name of the account being "attacked," Windows auditing will only
tell you the netbios computer name it came from. If the computer is not on
the network, you may have trouble finding out where it actually came from.
You may want to start logging IP traffic to your domain controllers using
routers, switches, sniffers or firewalls. This is the only way I know of to
get the source IP address of the machine in question prior to Windows 2003
Server. Ethereal is a free sniffer, and www.kerio.com and www.sygate.com
are free firewalls.
http://securityadmin.info/faq.htm#sniffer
Commands such as: NETSTAT -A ipaddress might also be helpful.
The getacct utility free from www.securityfriday.com can let you enumerate a
bunch of information from a windows computer remotely, such as all the login
IDs set up on it, which may also be informative.
All of these only work as long as the computer is still reachable on the
network.
You could also choose to try sending a popup message to the computer using
the NET
SEND computername "message" command.
"Terry"
wrote in message
news:089301c3a8a5$f365ef80$a101280a@phx.gbl...
> W2K AD, all auditing enabled, general access student labs.
> Is there an easy way to make the event log send an email
> notification to an administrator when a harrassed
> person's account is accessed with a failed logon attempt,
> account lockout, etc. Culprit could be caught if timely
> event check, but difficult to justify watching the water
> boil type event monitoring.
> zero budget, so any app would need to be freeware.
> Your thoughts apprec.