| Author | Messages | |
TG
Posts:296
 | | 01/13/2010 7:50 PM |
| Hi Joe, can you point me to those KB articles? I am not even sure what to
bing  for.
I have some weird stuff happening that may be explained by the one to many
transformation.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld | www.hewitt.com
P Please consider the environment before printing this e-mail.
From:
joe <listmail@joeware.net>
To:
activedir@mail.activedir.org
Date:
01/13/2010 11:32 AM
Subject:
RE: [ActiveDir] Poll - what account lockout settings are in use?
Sent by:
activedir-owner@mail.activedir.org
IMO, the idea for lockout is to prevent brute force hacking, not make it
so people can?t work if they can?t remember their password right off or
their PDA screws up during syncing. This is a common issue in many
environments, the various security groups seem to like to dictate a
policy that seems secure and intelligent on paper but doesn?t really
reflect what the real intent and reality is. You don?t want your security
policy to result in a DOS attack vector which it often seems to become.
You could argue (some have including myself on occasion) that *any*
lockout policy fits that description. I know of several companies right
now that I could blow up major apps supporting hundreds of thousands of
users by simply forcing a specific account to get locked out in their
environments. That is silly exposure IMO.
Also from the reality standpoint? The way the auth system works in
Windows, a single auth attempt at the keyboard can result in multiple
backend attempts by the security providers. It is conceivable that you
could lock out a user with a 5 bad count setting with a single bad
attempt. In fact for a long time there were several key MSKB?s about 3
backend attempts occurring for 1 keyboard attempt using all default MSFT
software.
If you look at what I think this is truly intended to help with? brute
force attacks or viruses, the application is going to send 50 bad attempts
within seconds, then the account will lock out for 5 minutes. If this is a
true brute force or virus issue, the account will remain locked for most
of any given hour and at best the application will get 12*50 password
attempts. That really isn?t a lot and if a hacker can get past someone?s
password within just thousands of attempts then it is likely you need to
better educate your users on passwords or start enforcing longer more
complex passwords. Also, I would expect that you would be aware of these
thousands of attempts coming in either from a pissed off user or your
monitoring and do something about it from another angle.
If this is to prevent someone from manually guessing someone?s password,
50 cracks at it every 5 minutes is better than 5 every 30 minutes but
again, if someone?s password can be guessed that easily. You have some
other options you need to look into.
Over the years I have put in many DCRs to the auth folks at MSFT to help
come up with better solutions in this space. Some examples are if the same
password is coming in over and over again, it doesn?t count against the
bad password count and if the bad attempts are coming from a single
source, that machine is blocked via ipsec from touching the server
(because these attempts could go against DCs, Servers, or workstations
right?) it is banging against until it stops for some period or there is
admin intervention.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
From: activedir-owner@mail.activedir.org [
mailto:activedir-owner@mail.activedir.org] On Behalf Of Castillo, Daniel
(Directory Services)
Sent: Wednesday, January 13, 2010 11:30 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Poll - what account lockout settings are in use?
I might be a little paranoid about this but 50 logon attempts seems to be
a little high to me? and then getting the account unlocked by its own at
such short time can make things worst? just think about a virus or a
hacker? we?re pretty much giving him much opportunities to break down.
I am much on the 5 wrong passwords the must and then reach your helpdesk
to get this fixed, of course you gotta look at facts like your
provisioning system, schema security, nature of business and of course
available resources
Just my two cents.
~D~
From: activedir-owner@mail.activedir.org [
mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Wednesday, January 13, 2010 10:23 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Poll - what account lockout settings are in use?
I?d like to hold a straw poll and ask for feedback regarding the values
used for the following Account Lockout settings.
Naturally, if this is deemed too sensitive to provide, I fully understand
J
I have suggested:
LockoutBadCount = 50
ResetLockoutCount = 30
LockoutDuration = 30
What have others implemented?
Many thanks,
neil
Neil Ruston
CREDIT SUISSE
+44 (0) 20 7883 3779
* neil.ruston@credit-suisse.com
==============================================================================
Please access the attached hyperlink for an important electronic
communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
|
|