Guest account locked out

  • 2.9K Views
  • Last Post 11 October 2015
b.lucas posted this 30 March 2006

Our built in guest account gets locked out from time to time,
generating 644 events in the DC™s security logs.  I™m trying
to determine how it can get locked out because the account is disabled. 
If I take a test box and hammer away at the guest account with bogus passwords
I never get a lockout message, only Your account has been disabled¦.

 

Our account policy is as such:

Duration: 120m

Threshold: 5 attempts

Reset: 15 minutes

 

If I look at the caller machine, I see the same Event 515 (KSecDD)
at the exact time the lockout occurs.  I also see just seconds before, 2
528™s and 2 576™s, Network Service logon/logoff and privilege uses
(primary token privilege).  The computer accounts aren™t
disabled.  It feels like the client is just renewing its token, but why
would that involve the guest account (renamed to netgst).

 

 

Event
ID          : 644

Event Importance  :
Critical importance event

Date &
Time       : 3/30/2006 - 7:37:40 AM

Rule
Triggered    : User Account Locked Out - 644 - Outside N.O.T -
Medium - Win2k/Win2003 DC

Computer         
: AD6

Event
Log         : Security

Event
Source      : Security

Event
Category    : Account Management

Event
Type        : Success Audit

S.E.L.M. Event ID :
1143560217_000000004988749

User
Name         : NT AUTHORITY\SYSTEM

Operating System  :
Windows 2003 Domain Controller

 

User Account Locked Out:

      Target
Account Name:    NetGst

      Target
Account ID:            %{S-1-5-21-2142909598-1293495619-134157935-501}

      Caller
Machine Name:    PP1174

      Caller
User Name:       AD6$

      Caller
Domain:          TCU

      Caller
Logon ID:        (0x0,0x3E7)

More Information:

User account named NetGst
(account ID %{S-1-5-21-2142909598-1293495619-134157935-501}) has been locked
out by User AD6$ from domain TCU (machine named PP1174).

 

Event Type:       Success
Audit

Event Source:    Security

Event Category: System Event

Event ID:           515

Date:                3/30/2006

Time:                7:37:40
AM

User:                NT
AUTHORITY\SYSTEM

Computer:         PP1174

Description:

A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to submit logon
requests.

 

 Logon Process Name:   KSecDD

 

For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.

 

 

Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971

Order By: Standard | Newest | Votes
g4ugm posted this 10 October 2015

Some kind of Malware. Malicious User. Turn the workstation off… 

show

kurtbuff posted this 10 October 2015

So all attempts are coming from a single workstation? Definitely malicious if true.
If it's coming from multiple workstations, it could still be malicious, but it could also be BYOD or something else that's misconfigured.
Kurt


show

abhay.ipg posted this 11 October 2015

one DC was password policy was misconfigured , its resolved now.
thanks for your help.
have great weekend.
Regards,
Abhay Singh
Email:- Abhay.ipg@xxxxxxxxxxxxxxxx
Cell :- +91-8527676669
Skype:- abhayit1

show

Close