3

Let me start off with some details on my environment:

  • Windows Active Directory Domain Environment
  • Domain Controller: Windows Server 2003 R2
  • Problem Workstation: Windows 7 Professional 64-bit

Lately I've gotten reports of Domain User Accounts being locked out due to excessive Login Failure attempts. I've gotten reports of this issue from users using two different machines, both Win 7 Pro x64. I would just unlock their account and let them be on their way, but sometimes the account is immediately re-locked out and sometimes the user will get locked out overnight, every night causing some chaos. Due to this issue I set the Account Lockout Threshold to 0 under our SBS Server Lockout Policy so users can work uninterrupted while I figure this out.

In doing some research on this problem, a common issue I found is that when a user's password is changed, their old credentials are cached somewhere and are being used by a process or service causing audit failures, but the Users in question have not changed their password in a long while.

So I am checking event logs on one of the workstations in question and I'm finding Audit Failure events for a number of users occur every second or so. One of the users uses the computer regularly via Remote Desktop but the other three are a bit odd to see. One of the other three does not access this machine that I'm aware of and the other two users don't exist. One of the non-existent users has the username of our domain name and the other is called DENTAL.... On the other machine on which another user was constantly logged out, I saw all manner of odd and non-existent usernames being listed in the events (they were real names, but not names of users of our domain. like bob, jenny, garry etc.).

The Security Event Log timeline looks like this, all day every day: Audit Failures

Here are the full event details for the non-existent user (the only user logged on to his pc is the Domain Admin):

-System
  -Provider
      [ Name]        Microsoft-Windows-Security-Auditing 
      [ Guid]        {54849625-5478-4994-A5BA-3E3B0328C30D} 
   EventID           4625
   Version           0
   Level             0
   Task              12544
   Opcode            0
   Keywords          0x8010000000000000 
  -Time Created
       [ SystemTime] 2017-03-16T18:23:08.864151000Z 
   EventRecordID     9068892
   Correlation
  -Execution
       [ ProcessID]  560
       [ ThreadID]   1364
   Channel           Security
   Computer          *xxxx.domain.lan*
   Security          

-EventData
   SubjectUserSid            S-1-0-0 
   SubjectUserName           - 
   SubjectDomainName         - 
   SubjectLogonId            0x0 
   TargetUserSid             S-1-0-0 
   TargetUserName            DENTAL
   TargetDomainName  
   Status                    0xc000006d 
   FailureReason             %%2313 
   SubStatus                 0xc0000064 
   LogonType                 3 
   LogonProcessName          NtLmSsp  
   AuthenticationPackageName NTLM 
   WorkstationName  
   TransmittedServices       - 
   LmPackageName             - 
   KeyLength                 0 
   ProcessId                 0x0 
   ProcessName               - 
   IpAddress                 -  
   IpPort                    -

For each and every one of these events (EventID 4625) there is a corresponding event (EventID 4776) with the same TargetUserName.

Any and all help and/or advice given here will be greatly appreciated. Please let me know if there is any other information I should provide, Event Logs you would like to see etc.

Thanks in advance!

OilyBusiness
  • 31
  • 3
  • Are these workstations directly connected to the Internet somehow? It looks like they are being scanned. An easy way to verify this would be to disconnect the workstation from the network and see if the Audit Failures stop. You could then install a network monitor to see where the connections are potentially coming from (IPMon+ from the EventSentry SysAdmin Tools is easy to use). Are you getting audit failures on the domain controller as well? – Lucky Luke Mar 18 '17 at 14:30
  • 1
    They are connected to the internet through the router/gateway. When I disconnect their ethernet cable, the audit failures do indeed stop. There are corresponding Audit Failure events on the Domain Controller, yes. – OilyBusiness Mar 29 '17 at 21:11
  • I used IPMon+ and procmon to monitor connections, there doesn't seem to be anything other than mDNS (port 5353) and RDP (I usually use RDP to connect to the machine) traffic. I look for connections/packets that match the System Time under "Time Created" in the event data and can't find any that match exactly, maybe there's some lag between packet arrival and event creation in event viewer? – OilyBusiness Mar 29 '17 at 21:21
  • There really shouldn't be a lag between a packet coming in (and resulting in an action that will be logged) and it being logged to the security event log, other than a few milliseconds maybe. Have you tried experimenting with Firewall rules? Also, is there any port forwarding configured on the firewall that would redirect external, incoming traffic to port 3389 on the workstation? – Lucky Luke Mar 31 '17 at 17:05
  • Ok, I was monitoring the machine using RDP which confused things for me when monitoring traffic. I hopped on the machine locally and started looking at things. There is traffic corresponding to the audit failures. We do have a firewall forwarding RDP Traffic to the local machine using a non-default RDP Port (not 3389, but close). Since I was monitoring the machine with a monitor and not remotely, I was able to see that the audit failures are being caused by unsuccessful logon attempts with random target usernames (and, I assume, random passwords) coming over the RDP-Port. – OilyBusiness Apr 03 '17 at 16:37

0 Answers0