Friday, December 18, 2020

How to Find the Source of Account Lockouts in Active Directory domain?

Account Lockout Event ID 4740

First of all, an administrator has to find out from which computer or server occur bad password attempts and goes further account lockouts.

If the domain controller closest to the user determines that the user is trying to log in with invalid credentials, it redirects the authentication request to the DC with the PDC emulator FSMO role (this particular DC is responsible for processing account locks). If authentication fails on the PDC, it responds to the first DC that authentication is not possible. If the number of unsuccessful authentications exceeds the value set for the domain in the Account lockout threshold policy, the user account is temporarily locked. 

In this case, an event with EventID 4740 are recorded to the Security log of both domain controllers. The event contains the DNS name (IP address) of the computer from which the initial request for authorization of the user came. In order not to analyze the logs on all DCs, it is easiest to look for the lockout events in the security log on the PDC domain controller. You can find the PDC in your domain as follows:

(Get-AdDomain).PDCEmulator

The domain account lockout events can be found in the Security log  on the domain controller (Event Viewer -> Windows Logs). Filter the security log by the EventID 4740. You should see a list of the latest account lockout events. From the topmost, scroll through all the events and find an event that indicates that the account of the user you are looking for (the username is listed in the Account Name value and the event description “A user account was locked out”).

Note. In a large AD environment, a large number of events are written to the security log on the on domain controllers, which are gradually overwritten by newer ones. Therefore, it is advisable to increase the maximum log size on DCs and to start the for the lockout source as soon as possible.

Active Directory Account Domain Controller Lockout Event ID 4740

Open this event. The name of the computer (server) from which a lockout has been carried out is specified in the field Caller Computer Name. In this case the computer name is TS01.

 

Ref: http://woshub.com/troubleshooting-identify-source-of-active-directory-account-lockouts/

 

 

Posted by at No comments:

Friday, October 2, 2020

Cisco ASA ASDM Configuration 

ASA1(config)# show disk0:
--#--  --length--  -----date/time------  path
   10  8192        Dec 02 2014 19:09:34  log
   18  8192        Dec 02 2014 19:09:44  crypto_archive
  106  25088760    Aug 04 2014 13:59:20  asdm-731.bin
   19  8192        Dec 02 2014 19:10:00  coredumpinfo
   20  59          Dec 02 2014 19:10:00  coredumpinfo/coredump.cfg
  109  27113472    Aug 25 2014 13:10:56  asa915-k8.bin
  112  31522773    Aug 09 2014 15:01:52  anyconnect-win-3.1.03103-k9.pkg
  113  9993060     Aug 09 2014 15:06:50  anyconnect-linux-3.1.03103-k9.pkg
  114  11293375    Aug 09 2014 15:08:34  anyconnect-macosx-i386-3.1.03103-k9.pkg

255426560 bytes total (149430272 bytes free)

If you don’t have one, copy it to the flash memory before you continue. Our next step is to tell the ASA which ASDM image we want to use:

ASA1(config)# asdm image disk0:/asdm-731.bin

ASDM requires HTTP and it’s disabled by default, let’s enable it:

ASA1(config)# http server enable

Instead of giving everyone access to the HTTP server we will specify which network and interface are permitted to use the HTTP server:

ASA1(config)# http 192.168.1.0 255.255.255.0 INSIDE

This will only allow network 192.168.1.0 /24 on the inside interface to reach the HTTP server. It might be even a better idea to only allow one or two IP addresses that you use for management instead of an entire network.

Let’s continue and make a user account:

ASA1(config)# username ADMIN password PASSWORD privilege 15

That’s all we have to do on the ASA. Now you can open a web browser on your computer, I’ll be using Windows 7 and Internet Explorer for this. Open the following URL:

https://192.168.1.254

You will see the following screen:

Cisco ASA ASDM HTTPS Error

The ASA uses a self signed certificate so that’s why you see this error above. Just click on Continue to this website and you will see the following screen:

Posted by at No comments:

Thursday, January 2, 2020

SSH Putty "Server's host key did not match the signature supplied"

Add the following into your global config and test:

crypto key generate rsa modulus 2048 label test_key
ip ssh rsa keypair-name test_key

Ref: https://community.cisco.com/t5/network-management/ssh-putty-quot-server-s-host-key-did-not-match-the-signature/td-p/2243223

Posted by at No comments:
Subscribe to: Posts (Atom)