Account Lockouts..
Account lockouts. I wont go into the pros and cons of setting this option
So this is an entry based on a recent case I debugged but the problem wasn’t a bug. There was a case open with PSS from a large government contractor. The case had to do with a single user who kept having their account locked out.
They had gone to great lengths to determine where the account lockout was coming from. The case was open in May and it was Sept mind you, and it appeared to be coming from the domain controller itself (based on the netlogon log) . One of the first things PSS will do is enable netlogon logging via the 2080ffff flags per
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
06/23 15:44:27 [LOGON] SamLogon: Network logon of DOMAIN\Baduser from DC01 Returns 0xC000006A
The 0xC000006A indicates bad password attempt and 0xC0000234 would indicate an attempt on a locked account.
So the assumption here is that a process on the DC itself may be attempting to logon via a bad password. Tracking the netlogon logs and parsing for this user led to an abnormal pattern with no rhyme or reason to it – not at certain times or a regular pattern like some automated malware trying to attack this user. Almost like a real person ( it would stop on weekends and such). They asked the user if he had any hints as to what may be calling the bogus password but he could not recall.
After taking some drastic measures, like deleting the users account and creating a new one, they approached me for ideas. They had eventually implemented a script to unlock this one specific user every so often, but still wanted root cause. Network traces had not revealed anything obvious ( but since it was a very busy DC these were very very large traces and something may have been missed).
I threw out ideas like alockout.dll and windows logon monitor ( which is a PSS distributed tool for account lockouts) and these were tried but did not log any events when the user was locked.
In the end – a live debug determined that the user in question had setup an application to do a simple ldap bind ( over ssl ) with the users DN and a bad password.
There is a function which basically says "hey was this guy locked out?" and returns true if he was locked.
The calling function looked something like:
546298f3 8d4d8c lea ecx,[ebp-0x74]
546298f6 51 push ecx
546298f7 50 push eax
546298f8 ff750c push dword ptr [ebp+0xc]
546298fb e888170200 call mod!AmILocked
54629900 84c0 test al,al
so I set a conditional breakpoint like just so we don’t catch all the bad passwords – just the actual lockout events:
bp 54629900 "j @eax = 0x1 '';'gc'"
So once that was set I told them to call me when it breaks in – sure enough it did and I got about 4 minutes in on the real debug and the ASR ( Automatic System Recovery ) kicked in and rebooted the machine. Doh! Just a tip - before a kernel debug disable this in the BIOS or you lose all the setup etc... you did to get to a good point in a debug ;)
So we tried again the next day – hit it again (luckily) and it was the same user. I could see he was using the NTLM SSP msv1_0 , and tracked the call back to an LDAP connection which included the IP of where it was coming from. Once they had the information ( username, bad password, and the machine where it originated from ) they confronted the user and he recalled where and when he had set this machine up for a simple ldap bind via some firewall settings and had never deleted the static setting.
I am pretty sure that alockout.dll shims certain authN calls like LogonUser etc.. and the windows logon monitor inserts a new dummy SSP to catch calls - for some reason ( not sure why )these were not catching the root cause here.. perhaps error on the end user when setting them up?
How could this have been made easier? Not sure right now --- any thoughts from the readers?
spat
UPDATE 12\24\2005
Thought I would add some value to this post :)
The person who was being locked out did not know which machine the lockout was coming from. It may have jogged his memory and we could have tracked it down faster.
Usually the netlogon logs will show this. Most times this is only half the battle though, because you still dont know which process, service etc.. is actually sending the bad creds. In this case, due to the debug , I could tell them the username, source machine, and the password being used. As soon as the end user found out the source machine and password - he remembered where he had set this.
Anyway -- in this situation we simply show the DC as the source:
sample
user = ed
domain = crisco1
DC = 2k3entspat
Netlogon log shows:
12/24 17:15:46 [LOGON] CRISCO1: SamLogon: Network logon of CRISCO1\ed from 2K3ENTSPAT Entered
12/24 17:15:46 [LOGON] CRISCO1: SamLogon: Network logon of CRISCO1\ed from 2K3ENTSPAT Returns 0xC000006A
Why?
The ldap call somes into LSA and ends up calling into LogonUserW (advapi32) which then calls an LPC to itself , goes through netlogon and is eventually authenticated.
When it flows through netlogon it says "Hey, this call came from me! I'd better log that."
Ahh but it gets better. In Windows Server 2003, we will log an event:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/24/2005
Time: 5:15:46 PM
User: NT AUTHORITY\SYSTEM
Computer: 2K3ENTSPAT
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: ed
Domain: CRISCO1
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: 2K3ENTSPAT
Caller User Name: 2K3ENTSPAT$
Caller Domain: CRISCO1
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 436
Transited Services: -
Source Network Address: 157.59.123.219 --- this is the IP of the machine I used to do the LDAP bind from ( bad creds used )
Source Port: 1586
But ....they were on Win2k
Comments
Anonymous
October 27, 2006
Hi All, Please look into the given link which talks about: "Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features". http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fen%2Fwc022703%2Fwct022703.asp Enjoy! Chandan PatralekhAnonymous
May 24, 2008
Simple bind events don't record the calling Computer as the source, but record the ADDS-DC or the ADLDS instance name, so you cannot determine where the simple bind request came from. So if you are trying to track down where the calling machine is thatAnonymous
June 18, 2010
Hey man, How's it going? Hey, account lockouts are a fact of life in Active Directory, and we all deal with them. But are you sure a simple bind can result in account lockouts? I mean that sounds like a DoS attack waiting to happen - no? By the way, in any event, its always helpful to be able to identify locked accounts in your Active Directory. I run a blog on <a href="free-activedir-tools.blogspot.com/">Free Active Directory Reporting Tools</a> and I thought I'd share it with you because there are many free tools that I've covered. I'm certain one of them could help you list locked accounts and list accounts that might be about to be locked out, or help you identify the computer from which this account lockout might be coming. Thanks man! Peace, MarcAnonymous
June 20, 2010
Thats very cool Marc - thx for the link. Well in reality, account lockouts are indeed a DOS vector technet.microsoft.com/.../cc783860(WS.10).aspx touches on when one should actually use this feature. Spat