Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Domain account lockout from outside network


  • Please log in to reply
No replies to this topic

#1 jpalmerbean

jpalmerbean

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 27 May 2013 - 03:35 AM

Hello,
 
I've just joined the site because I have a problem that I can't figure out or I'm stuck. It's for work.
We have a domain with a user who randomly locks out every couple weeks or so. When it locks out it, it keeps locking out for an hour or so and she has to call helpdesk a couple times to have her account unlocked. We are a school and unfortunately our Network is wide open. If I need to close something, I need to do it on her computer. At first I thought it was something running on her computer that was causing the problem, but after checking through everything, couldn't find anything cached, etc.
At that time the security log wasn't big enough and by the time I got to her computer it was overwritten for the time when the account locked. Now, I finally got the security log and see that the source network address is not from our network. I traced it to china. It's always the same 2 ip addresses that try. They use different source ports. In the system at the same time, terminal services is saying that a remote session from client name a exceeded maximum allowed failed logon attempts. I've attached the system and a couple security logs. Always the same IP, but the source port does change.
 
On her firewall, I added a local rule for port 3389 to only our network. The rule from gpo just opens that right up. I know, I know, it shouldn't be that way, but I have no power to change that.
 
So, I have a couple questions:
Does my local rule I created in the firewall merge with the rule from the GPO? I didn't see any rules about merging the changes together when I looked at the GPO (which I don't have editing rights to).
How can I secure this pc so that these attacks stop locking her account. IE do something on the computer's firewall to prevent it getting so far as being able to use this person's username and password?
 
Thank you for reading this post and for any help.
 

Attached Files


Edited by bloopie, 29 May 2013 - 08:12 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users