Thanks, Rob (and best wishes at U of M!).
Since the renamed admin acct was marked as being locked out, we had
not actually tried logging in AT THE CONSOLE with the original
(renamed) admin account (we had tried logging in locally with admin
accts that we had previously created).
This morning, I tried logging in at the console with the renamed
admin account and got in... even though it was "locked out" (so far
as net access was concerned). <whew>
We're back in to our 8 affected servers and have looked through the
security event logs. Previous attacks (last May) were
dictionary-based or (last Sept) simply rotated through every userid
on the system.
What was different about the March 8 attacks (compared with similar
ones on March 1-2) is that the March 8 attacks targeted ONLY
accounts that had higher privilege levels (backup, admin). The
March 8 attacks did not waste any resources on accounts with lower
Rob Neary wrote:
> Sorry to get in on this discussion late...
> There is one account on all WinNT/2K/XP systems which can not be locked out.
> In the case of a stand-alone machine, its "The" admin account (typically
> called Administrator, and in the case of a Domain Controller (or Active
> Directory) it's the FIRST Admin account on the FIRST box in the Domain (PDC)
> or the first Admin account on the first DC you promote to an AD DC. I've
> attached an image of what this looks like in AD, and you can look for a
> description of "Built-in account for administering the computer/domain".
> Once you've identified this account, if you don't know what the password is,
> you can use a mildly expensive tool to boot to a CD, mount your NTFS
> partition, and reset the appropriate registry key:
> This tool will also let you list the accounts (in case you renamed it an/or
> don't know what it is called).
> Hope that helps - and if you're really in a pinch, let me know and I can help
> you with the ERD disc...
> Rob Neary
> Medical School Information Systems
> University of Michigan
> [log in to unmask]