The clients on my W2K network often get locked out, but
the lockouts (and unlocks) do not always show up in the
Security Event Log. I've got 4 locations, 2 DCs each
location, and I've checked every DC event log, but I just
can't find the entries sometimes. Any ideas?
Thanks in advance.

Craig.

First off check your firewall configuration to make sure that internet hackers do not
have access to your network. Ideally you should scan your firewall yourself from
outside the network. You can also go to one of the self scan sites such as
http://scan.sygatetech.com/. In particular you do not want any file and print sharing
ports open to the world such as 135,137,138,139,445 though other port access can also
cause the problem and a default block all rule is best with access just to needed
ports for internet users IF any.

Then make sure your account lockout policy threshold is at least ten bad attempts
[assuming strong passwords are enforced] per MS recommendations as one bad logon
attempt can cause the counter to increment more than a few times, though I doubt that
is your problem. You want to find the failed logon attempts that are causing the
lockouts and what user account/computer is causing them. At minimum you want auditing
of account management and account logon events on your domain controllers and
auditing of logon events on any servers offering shares to users. You may have to
enable auditing of logon events on every computer in the domain to track down the
failed logons as the account lockouts can be by failed access to any computer in the
domain that has file and print sharing enabled on it. You can then view your logs or
failed logon attempts and use the free Event Comb from Microsoft to scan the logs of
multiple computers locking for specific events. Once you know where the failed
attempts are originating from you can go from there and see if there is a malicious
user, compromised/infected computer, expired passwords, etc. The link below is very
good on tacking down account lockouts, explaining event ids, and includes some tools
to assist such as Event Comb. --- Steve

[url]http://www.microsoft.com/technet/security/guidance/secmod144.mspx[/url]
[url]http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en[/url]

"Craig" wrote in message
news:1be9101c45225$19157240$a601280a@phx.gbl...[color=blue]
> The clients on my W2K network often get locked out, but
> the lockouts (and unlocks) do not always show up in the
> Security Event Log. I've got 4 locations, 2 DCs each
> location, and I've checked every DC event log, but I just
> can't find the entries sometimes. Any ideas?
> Thanks in advance.
>
> Craig.
>[/color]

Thank you so much, Steve for your reply.
This particulay network is not connected to the Internet
but the information you provided is definitely valuable.
We have auditing enabled for both account management and
account logon events. Our account lockout policy is 3 bad
attempts (w/o strong passwords enabled). Yet, an account
can get locked out, but with Eventcomb I still cannot find
the entry in the Security log. I'll turn on auditing for
all the client PCs on the network and see what shows up.
Do you know if this is a big impact for the network or
just the local PC? Thanks in advance, Steve.

Craig.
[color=blue]
>-----Original Message-----
>First off check your firewall configuration to make sure[/color]
that internet hackers do not[color=blue]
>have access to your network. Ideally you should scan your[/color]
firewall yourself from[color=blue]
>outside the network. You can also go to one of the self[/color]
scan sites such as[color=blue]
>http://scan.sygatetech.com/. In particular you do not[/color]
want any file and print sharing[color=blue]
>ports open to the world such as 135,137,138,139,445[/color]
though other port access can also[color=blue]
>cause the problem and a default block all rule is best[/color]
with access just to needed[color=blue]
>ports for internet users IF any.
>
>Then make sure your account lockout policy threshold is[/color]
at least ten bad attempts[color=blue]
>[assuming strong passwords are enforced] per MS[/color]
recommendations as one bad logon[color=blue]
>attempt can cause the counter to increment more than a[/color]
few times, though I doubt that[color=blue]
>is your problem. You want to find the failed logon[/color]
attempts that are causing the[color=blue]
>lockouts and what user account/computer is causing them.[/color]
At minimum you want auditing[color=blue]
>of account management and account logon events on your[/color]
domain controllers and[color=blue]
>auditing of logon events on any servers offering shares[/color]
to users. You may have to[color=blue]
>enable auditing of logon events on every computer in the[/color]
domain to track down the[color=blue]
>failed logons as the account lockouts can be by failed[/color]
access to any computer in the[color=blue]
>domain that has file and print sharing enabled on it. You[/color]
can then view your logs or[color=blue]
>failed logon attempts and use the free Event Comb from[/color]
Microsoft to scan the logs of[color=blue]
>multiple computers locking for specific events. Once you[/color]
know where the failed[color=blue]
>attempts are originating from you can go from there and[/color]
see if there is a malicious[color=blue]
>user, compromised/infected computer, expired passwords,[/color]
etc. The link below is very[color=blue]
>good on tacking down account lockouts, explaining event[/color]
ids, and includes some tools[color=blue]
>to assist such as Event Comb. --- Steve
>
>[url]http://www.microsoft.com/technet/security/guidance/secmod1[/url][/color]
44.mspx[color=blue]
>[url]http://www.microsoft.com/downloads/details.aspx?[/url][/color]
FamilyId=7AF2E69C-91F3-4E63-8629-
B999ADDE0B9E&displaylang=en[color=blue]
>
>"Craig" wrote in[/color]
message[color=blue]
>news:1be9101c45225$19157240$a601280a@phx.gbl...[color=green]
>> The clients on my W2K network often get locked out, but
>> the lockouts (and unlocks) do not always show up in the
>> Security Event Log. I've got 4 locations, 2 DCs each
>> location, and I've checked every DC event log, but I[/color][/color]
just[color=blue][color=green]
>> can't find the entries sometimes. Any ideas?
>> Thanks in advance.
>>
>> Craig.
>>[/color]
>
>
>.
>[/color]

It should not be a big impact either way and is needed to help locate those failed
logons. There is a difference between account logon and logon events. You want to
enable auditing of logon events for at least failure on your other machines and then
scan the logs for failures or manually check some of them remotely which you can do
with Event Viewer. An account lockout threshold of three is too low in my opinion and
will cause "false" lockouts though if you have had that enabled for a while and the
lockouts are a new problem then you probably have some other issue. Network scanning
software such as Microsoft Baseline Security Analyzer can also trigger account
lockouts. --- Steve

[url]http://www.microsoft.com/downloads/details.aspx?FamilyID=8c8e0d90-a13b-4977-a4fc-3e2b67e3748e&displaylang=en[/url]
--- good MS white paper on account lockout policy.

"Craig" wrote in message
news:1bfe001c4523b$48d84e60$a601280a@phx.gbl...[color=blue]
> Thank you so much, Steve for your reply.
> This particulay network is not connected to the Internet
> but the information you provided is definitely valuable.
> We have auditing enabled for both account management and
> account logon events. Our account lockout policy is 3 bad
> attempts (w/o strong passwords enabled). Yet, an account
> can get locked out, but with Eventcomb I still cannot find
> the entry in the Security log. I'll turn on auditing for
> all the client PCs on the network and see what shows up.
> Do you know if this is a big impact for the network or
> just the local PC? Thanks in advance, Steve.
>
> Craig.
>[color=green]
> >-----Original Message-----
> >First off check your firewall configuration to make sure[/color]
> that internet hackers do not[color=green]
> >have access to your network. Ideally you should scan your[/color]
> firewall yourself from[color=green]
> >outside the network. You can also go to one of the self[/color]
> scan sites such as[color=green]
> >http://scan.sygatetech.com/. In particular you do not[/color]
> want any file and print sharing[color=green]
> >ports open to the world such as 135,137,138,139,445[/color]
> though other port access can also[color=green]
> >cause the problem and a default block all rule is best[/color]
> with access just to needed[color=green]
> >ports for internet users IF any.
> >
> >Then make sure your account lockout policy threshold is[/color]
> at least ten bad attempts[color=green]
> >[assuming strong passwords are enforced] per MS[/color]
> recommendations as one bad logon[color=green]
> >attempt can cause the counter to increment more than a[/color]
> few times, though I doubt that[color=green]
> >is your problem. You want to find the failed logon[/color]
> attempts that are causing the[color=green]
> >lockouts and what user account/computer is causing them.[/color]
> At minimum you want auditing[color=green]
> >of account management and account logon events on your[/color]
> domain controllers and[color=green]
> >auditing of logon events on any servers offering shares[/color]
> to users. You may have to[color=green]
> >enable auditing of logon events on every computer in the[/color]
> domain to track down the[color=green]
> >failed logons as the account lockouts can be by failed[/color]
> access to any computer in the[color=green]
> >domain that has file and print sharing enabled on it. You[/color]
> can then view your logs or[color=green]
> >failed logon attempts and use the free Event Comb from[/color]
> Microsoft to scan the logs of[color=green]
> >multiple computers locking for specific events. Once you[/color]
> know where the failed[color=green]
> >attempts are originating from you can go from there and[/color]
> see if there is a malicious[color=green]
> >user, compromised/infected computer, expired passwords,[/color]
> etc. The link below is very[color=green]
> >good on tacking down account lockouts, explaining event[/color]
> ids, and includes some tools[color=green]
> >to assist such as Event Comb. --- Steve
> >
> >[url]http://www.microsoft.com/technet/security/guidance/secmod1[/url][/color]
> 44.mspx[color=green]
> >[url]http://www.microsoft.com/downloads/details.aspx?[/url][/color]
> FamilyId=7AF2E69C-91F3-4E63-8629-
> B999ADDE0B9E&displaylang=en[color=green]
> >
> >"Craig" wrote in[/color]
> message[color=green]
> >news:1be9101c45225$19157240$a601280a@phx.gbl...[color=darkred]
> >> The clients on my W2K network often get locked out, but
> >> the lockouts (and unlocks) do not always show up in the
> >> Security Event Log. I've got 4 locations, 2 DCs each
> >> location, and I've checked every DC event log, but I[/color][/color]
> just[color=green][color=darkred]
> >> can't find the entries sometimes. Any ideas?
> >> Thanks in advance.
> >>
> >> Craig.
> >>[/color]
> >
> >
> >.
> >[/color][/color]