1
I am using Windows Server 2008 - fully patched.
One of my user accounts keeps getting locked. It is easy enough to unlock it - but it is happening with increasing frequency - and the user is not entering incorrect passwords.
I checked the security log - and see attempts to scan from a specific IP address. I would like to block all activity from this IP address. Is this easy to do? I don't have physical access to the server - so I am hesitant to experiment with setting up a rule that may accidentally block my access.
Also hoping that I can track down specific activity that is causing this user to get locked. Isn't there an event that I can look for when the account gets locked? I don't see it - and this scan that I mentioned above may not be related to the locking - as these 'failed logins' are not for the same user as the user that got locked. We have been watching the logs as the lock happens - but no clues there yet.
aSkywalker
Posted 2011-09-26T18:43:08.917
Reputation: 207
Are there any automated applications that use this users credentials that are trying to authenticate using the previous password or expired credentials? – music2myear – 2011-09-26T18:57:24.050
No - nothing that is running for that user. I had thought that mapped network drives may be trying to reconnect - but none. – aSkywalker – 2011-09-26T19:12:21.927
There is malware on the system, Windows firewall blocks All unsolicited incoming connections by default. – Moab – 2011-09-26T20:05:37.720