locked
URGENT: AD users gets locked out repeatedly for no reason RRS feed

  • Question

  • Dear Friends,

    Although we have many threads on  this, my scene is different.

    I couldn't justify my management whether it is an attack or a configuration issue.

    Actual network Diagram

    Internet - > Perimeter Router ->  Firewall-> Anti Email Spam server (in DMZ)(192.168.112.13 / GITSSBG01)-> Firewall-> Exchange server + AD (internal)

    Background : There was a merger/aquisition of X and Y companies where the  domain controller (not all users but Only few users say[ (50 users which includes CEO, few directors)] of a X company (e.g microsoftmany.com) has been merged / migrated to  Y Company (e.g microsoftone.com).

    Now for some reasons these 50 user accounts are getting locked out randomly for last 2-3 years and now even at a faster pace (more than 150 attempts in 3 minutes).

    I am pretty much confident that it is not an activesync issue, application integration issue or service account issue, password change issue or conficker issue.

    Because Activesync : should happen for all the users at slower pace

    Application Integration : Event id and logs doesn't show that info

    Service account : Cannot be service account as 50 users are getting locked out.

    I used account lock out tools from Microsoft / Netwrix but all pointing to one server (that is Anti Spam Mail server) which is using Symantec Brightmail Anti spam solution.

    For your information : This server is part of a domain and also used as mail relay service.

    For my surprise, i could see the following on the event viewer on that (192.168.113.12/Bright mail Server)

    On Security logs I can see the following:



    The most confusing part is why is it happening for old users and not for new users in the domain.

    Need your support or input on this. Thanks


    Sunday, August 24, 2014 9:01 AM

Answers

  • Few things I would like to verify here :

    If the old users have old passwords or smartphone access
    Exchange ActiveSync mobile devices
    contacts sync
    Applications / Web applications/ Tools which sync with Active Directory for authentication
    Vault for credentials in Windows Control Panel or Credential manager
    Stored usernames and passwords – rundll32.exe keymgr.dll, KRShowKeyMgr
    Rename AD Profile on the user machine
    If the anti-spam also installed in new users system
    How you manage such problem since you have mentioned 2-3 years

    Further, you can try "Get-LockedOutLocation"  PS that is available from Microsoft and can help you to find the exact root-cause of such weird issue. To download PS, pelase visit at : http://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab


    Carlo

    • Marked as answer by Alex Lv Tuesday, September 2, 2014 1:40 AM
    Tuesday, August 26, 2014 6:03 AM

All replies

  • I couldnt copy the image : (apologies)

    Eventviewer -> Security shows the following:

    Type              DATE           TIME           SOURCE    CATEGORY    EVENT  USER  COMPUTER

    Failure Audit 8/24/2014 12:13:07Pm Security Logon/Log off 529 SYSTEM GITSSBG01

    USER : NT AUTHORITY\SYSTEM

    Description :

    Domain : aaco

    Logontype: 3

    Logon process: IIS

    Authentication Package : MICROSOFT_AUTH_PACKA V1.0

    WORKSTATIOn:GITSSBG01

    CALLERUSERNAME : GITSSBG01$

    CALLER DOMAIN:AACO

    CALLER PROCESS ID:2044

    CALLER LOGON ID:(0X0, 0X3E7)

    Sunday, August 24, 2014 9:08 AM
  • SMTPSVC - > is the reason is what my initial investigation shows. But how can I relate that? Please help
    Sunday, August 24, 2014 9:13 AM
  • Well one of the reasons can be that Symantec brigtmail has Active directory authentication for each user, so every user could login to brightmail server and check his own spam using web interface. Probably users have an old password saved in their browsers and try to authenticate to brightmail server(or may be they have an opened tab in their browsers).

    Another suggestion is that users have an old passwords in their SMTP client settings saved. And Brightmail can't pass their outbound messages. 


    --- Jeff (Netwrix)

    Monday, August 25, 2014 1:23 PM
  • Few things I would like to verify here :

    If the old users have old passwords or smartphone access
    Exchange ActiveSync mobile devices
    contacts sync
    Applications / Web applications/ Tools which sync with Active Directory for authentication
    Vault for credentials in Windows Control Panel or Credential manager
    Stored usernames and passwords – rundll32.exe keymgr.dll, KRShowKeyMgr
    Rename AD Profile on the user machine
    If the anti-spam also installed in new users system
    How you manage such problem since you have mentioned 2-3 years

    Further, you can try "Get-LockedOutLocation"  PS that is available from Microsoft and can help you to find the exact root-cause of such weird issue. To download PS, pelase visit at : http://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab


    Carlo

    • Marked as answer by Alex Lv Tuesday, September 2, 2014 1:40 AM
    Tuesday, August 26, 2014 6:03 AM
  • Guys, I found the reason. It was SMTP authentication brute force attack causing this Issue. Multiple bots across the internet is performing the authentication brute force attack on this particular relay server to compromise it and take control over the server to relay spam messages.

    I rectified it by changing the usersnames in the AD and enabled the IPS signatures that are related to this particualr bruteforce attack.

    For more details ping me : vaithy(atherate)live(dot)co(dot)uk

    Sunday, September 28, 2014 8:23 AM