3. Finding source of account lockouts? Service/app?

Finding source of account lockouts? Service/app?

security logs on the DC? If you forward your login attempts (failed and successful) to a log aggregator, then you can look in a single place for the failed logins associated with the user name and find a source/dest.

The other thing would be the network logs. traffic to/from that DC, packet captures. that will also help you find the source.

suddenly the stale sessions on a server somewhere, with an internet browser open trying to authenticate to the proxy with the user's old credentials become very apparent.

But, finding the application or service responsible for the stale credentials? I don't think that microsoft has a solution for that. There are some security solutions that will show you what processes called which processes and so on until you see which ones are calling networking processes and/or requisitioning networking resources and use that to narrow it down. but by the time it hits the DC it isn't providing info about what application is wanting the authentication, only "hey, do these creds check out? yes or no?" You'd need the session info from the source machine to be able to see what application initiated the session - and since session # info is not commonly saved, and is frequently re-used, you're looking at a root level security tool that saves all that info by default. Something with a network shim that documents all the network activity, and an internal ability to track what processes are calling what processes and link it to that network activity.

AFAIK there are only 2 major players on the market with that kind of tool (that is authorized and warrantied and isn't just a black-market trojan) - with others coming soon, I'm sure.

/r/sysadmin Thread
Previous
Next

Recently removed from /r/sysadmin

I know of a crazy vulnerable Exchange server at my old work. What to do? Details inside. Intune Windows LAPS - Configuration Profile Applies Successfully, Yet Nothing Happens...Why? Woman starting in IT next month. Should I be worried or not? How to run a meaningful CyberSecurity Risk Workshop/Assesment Amazon Outage I don't know what I'm doing and I need help What's the point of using BitLocker with TPM instead of password when someone can always access your computer without entering a password on boot? How many of you despise IoT? Onboarding 1200 New Users - how to communicate passwords? Gen Z also doesn't understand desktops. after decades of boomers going "Y NO WORK U MAKE IT GO" it's really, really sad to think the new generation might do the same thing to all of us Modern SQL Express Backup Solution [GA] Employee claims she can't use Microsoft Windows for "Religious Reasons" So I got a "correctional talk" yesterday. Rant about new age "senior" IT "specialists" who don't know how to wipe their butt. Do you think remote work is slowly dying? Most companies seem to be pushing RTO, even big tech you folks think ?

More Random Comments

LGBT Victims of Violence: ‘Going to the Cops Will Only Make It Worse’ Karma &Trade System Suggestion Overview for Spicycake1 What's the pettiest thing you've seen an adult do to a child? Why does Bernie want to appoint laymen to the Federal Reserve? Where do you stand on major philosophical issues? Where do you stand on major philosophical issues? Ray Tensing honored as most productive cop on UCPD's force prior to his fuckup. Just kidding they spun this in a way that leads to the conclusion that every police success metric in existence is wrong and the perfect cop sits behind a 7/11 his entire shift. Boston Globe: 'Stanford rapist is a product of online gamer and reddit bro culture'. Article demonizes males, calls for all boys to be forced to read rape victims statements. Why does Bernie want to appoint laymen to the Federal Reserve? The 1955 LeMans Disaster Assuming there is a creator, what is something you think he did just to be a dick? Which Youtubers did you unsubscribe from and why? giving away starwars battlefront to the best joke American ISIS fighter who ‘found it hard’ returns to face criminal charges