0

I've enabled a lockout threshold on our domain now and my DC audit log is FILLED with 4740 "A user account was locked out" for the Domain Administrator account however it is NOT locked out and the Caller Computer Name is blank. Any ideas what's going on here? It's a Server 2012 DC.

enter image description here

Killian
  • 37
  • 2
  • 2
    1. That account can never actually be locked out; its a protection mechanism. 2. A blank computer name could mean several things - do you have any services exposed to the public internet that are AD- or LDAP-integrated? – Semicolon Apr 19 '21 at 15:33
  • Yeah that's right @Semicolon. We have RDS Web App open to our Staff and it appears it was being brute forced. – Killian Apr 21 '21 at 12:50

1 Answers1

0

After doing more digging it turned out it was coming from multiple attemps to brute force the domain adminstrator password on our RDS Gateway. I've setup and configured RDPGuard for now and it's working wonders thankfully and blocking MANY attempts to brute force our systems.

Killian
  • 37
  • 2