Back to your phpLogCon instanceEventlog Type: Security
Eventlog Source: Security
Event ID: 644
Link to KB Entry
Short Description:
User Account Locked Out
KnowledgeBase Event Repository
This site is the central interface to the Adiscon Event Repository-
- Details for this entry
-
- Eventlog Type:
- Security
- Eventlog Source:
- Security
- Event ID:
- 644
- Full Description:
-
User Account Locked Out
This event should show up as soon as an account has been locked out. However, our testing has shown that this does not appear on all Windows 2000 versions. At least from SP3 and above, it appears.Eric F. From Microsoft added:
Seeing the "account locked out" 644 event on a DC does not allow the analyst to deduce the reason for the lockout- e.g. Where the bad password attempts are coming from. You need the 529 "unknown user name or bad password" failure events from the machine being accessed to find that out, and might even need a network trace. Sometimes the account being used gives you a hint to what the problem is ("_ARCSERVE", etc.), but sometimes not. In Windows 2000 SP4 we add the calling process ID so that you can see, on the machine where the bad logon attempt event occurs, which process requested the logon with bad credentials.
As such, this event is only the begin of an alarm. To fully utilize its potential in log analysis, you need to consolidate other events together with this one.
- Parameter Description:
- User Account Locked Out:%n
%tTarget Account Name:%t%1%n
%tTarget Account ID:%t%3%n
%tCaller Machine Name:%t%2%n
%tCaller User Name:%t%4%n
%tCaller Domain:%t%5%n
%tCaller Logon ID:%t%6%n
- More Informations:
- Cause
An account is locked out when a specified number of unsuccessful logon attempts occur over a specified time period.
Unsuccessful logon attempts might indicate that the user forgot the password. However, they can also indicate password guessing by an unauthorized user or a denial of service attack against your network.
The account can be locked out for a set time period or until an administrator manually unlocks it.
ResolutionAnalyze, to determine whether this is an attack against your network. Look for Security 529 through Security 537 messages appearing immediately before the Security 644 message. If these messages appear frequently during a short time period (for example, several attempts per second), they can indicate that an attacker is rapidly trying numerous passwords until logon is successful or the account is locked out.
If an attack pattern is shown up, identify the source of the attack from the information that is provided in the messages and follow your security policy to mitigate the threat.
- Search for this Event::
- Search in Knowledge Base • Search in this Forum • Search on Windows-Expert.com
-
- Software Vendor: Microsoft
- Accessed: 6871
Discuss the Event
Discussion for KB Entry 47 - Event ID 644
This is the discussion thread for the Knowledge Base Entry 47
Eventlog Type: Security
Eventlog Source: Security
Event ID: 644
Link to KB Entry
Short Description:
Eventlog Type: Security
Eventlog Source: Security
Event ID: 644
Link to KB Entry
Short Description:
-
knowledgebase - Frequent Poster
- Posts: 128
- Joined: Wed May 28, 2008 10:09 am
About the KnowledgeBase Event Repository
This is a repository of known Windows Events, hopefully together with a description of what it means, when it appears and how to troubleshoot it. The event repository was initially provided as a tool for parser creation but has since evolved. It is now part of the overall knowledgebase in the hope that it provides a useful service to the community. Please add your comments and questions (which we try to answer), as this increases the event repository usefulness for all of us.
