RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut
Thanks for the reply. We're not open to changing our default domain policy, which is why I posted the question here. Is it possible, thougt for example a loopback policy, to allow a subset of PCs to utilize userids that do not lock? Perhaps that's a better summary ;) Thanks, -Rob "Mulnick, Al" [EMAIL PROTECTED] wrote: Account lockout is a security measure intended to protect against brute force attacks. The fewer attempts allowed before lockout, the harder it is to actually brute force an account over the network. Too low, and you risk business interruption. Too high, and you increase your attack surface (marketecturephrases being used today :) Can you do it? Of course. Would it help? Probably. No guarantee but it increases your buffer. My thoughts are that if it's important enough to warrant special attention and changing the domain policies, then it's important enough to warrant it's own domain for the factory floor. That would allow you to keep anyone from being able to muck with the accounts in any way (obviously admins from all domains could), and offers more protection for you. Also allows more flexibility for the account policies and insulation from the regular user domain outages and maintenance. al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob PrestonSent: Thursday, June 03, 2004 4:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Factory monitoring pcs - preventing Account lockout I have a problem that I'm sure the brainpower on this list can help.We're about to refresh the hardware and upgrade from win2k to XP using an automated build process. Vendor will swap out hardware, RIS a new image down, and SMS will take over to install all the applications needed. These pcsauto login with a useridandlaunch a factory-floor monitoring application. We have several factories to deal with, and currently we maintain hundreds of ids to provide this functionality.By having all these accounts we limit the risk of an account being locked out (has happened before) and preventing crucial monitoring stations to work. The applicationsare read-only to networkresources and are in a very locked down environment. The PCS resideon a Win2ksp4 domain, and the current domain policy locks after x attempts, and resets after xxx minutes. What we would like to do is use two accounts at each factory, but to prevent locking all the PCs at each location, we would need to relax the domain policy of lockouts after xx attempts. Having a smaller number of accounts to manage makes the deployment system much simpler to accomplish. Is this in the realm of possibility without needing to purchase new hardware, for example to create a child domain)? I'm sure these questions may spark some concerns - and I'm interested in this feedback as well. Thanks all! Rob Presson
RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut
The account policies for password complexity, age, and lockout for domain accounts can only be applied at the root of a domain and can not be changed at an OU level. If you think about it, you log into a domain, not an OU. What tends to confuse people is that you have the option of setting those settings in any GPO, even GPOs that are linked to an OU. If those settings are set in a GPO that is linked to an OU, what they will control is local accounts that are created in computers that within the scope of those OUs. Is it possible for your applications to execute with a local account instead of a domain account? If so then you could disable account lockout for those local accounts. If your application needs to access network resources, that would lead to other complications. You could try duplicated user accounts and passwords at both ends (workgroup connectivity). From: Rob Preston [mailto:[EMAIL PROTECTED] Sent: Friday, June 04, 2004 5:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut Thanks for the reply. We're not open to changing our default domain policy, which is why I posted the question here. Is it possible, thougt for example a loopback policy, to allow a subset of PCs to utilize userids that do not lock? Perhaps that's a better summary ;) Thanks, -Rob Mulnick, Al [EMAIL PROTECTED] wrote: Account lockout is a security measure intended to protect against brute force attacks. The fewer attempts allowed before lockout, the harder it is to actually brute force an account over the network. Too low, and you risk business interruption. Too high, and you increase your attack surface (marketecturephrases being used today :) Can you do it? Of course. Would it help? Probably. No guarantee but it increases your buffer. My thoughts are that if it's important enough to warrant special attention and changing the domain policies, then it's important enough to warrant it's own domain for the factory floor. That would allow you to keep anyone from being able to muck with the accounts in any way (obviously admins from all domains could), and offers more protection for you. Also allows more flexibility for the account policies and insulation from the regular user domain outages and maintenance. al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Preston Sent: Thursday, June 03, 2004 4:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Factory monitoring pcs - preventing Account lockout I have a problem that I'm sure the brainpower on this list can help.We're about to refresh the hardware and upgrade from win2k to XP using an automated build process. Vendor will swap out hardware, RIS a new image down, and SMS will take over to install all the applications needed. These pcsauto login with a useridandlaunch a factory-floor monitoring application. We have several factories to deal with, and currently we maintain hundreds of ids to provide this functionality.By having all these accounts we limit the risk of an account being locked out (has happened before) and preventing crucial monitoring stations to work. The applicationsare read-only to networkresources and are in a very locked down environment. The PCS resideon a Win2ksp4 domain, and the current domain policy locks after x attempts, and resets after xxx minutes. What we would like to do is use two accounts at each factory, but to prevent locking all the PCs at each location, we would need to relax the domain policy of lockouts after xx attempts. Having a smaller number of accounts to manage makes the deployment system much simpler to accomplish. Is this in the realm of possibility without needing to purchase new hardware, for example to create a child domain)? I'm sure these questions may spark some concerns - and I'm interested in this feedback as well. Thanks all! Rob Presson
RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut
Account lockout is a security measure intended to protect against brute force attacks. The fewer attempts allowed before lockout, the harder it is to actually brute force an account over the network. Too low, and you risk business interruption. Too high, and you increase your attack surface (marketecturephrases being used today :) Can you do it? Of course. Would it help? Probably. No guarantee but it increases your buffer. My thoughts are that if it's important enough to warrant special attention and changing the domain policies, then it's important enough to warrant it's own domain for the factory floor. That would allow you to keep anyone from being able to muck with the accounts in any way (obviously admins from all domains could), and offers more protection for you. Also allows more flexibility for the account policies and insulation from the regular user domain outages and maintenance. al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob PrestonSent: Thursday, June 03, 2004 4:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Factory monitoring pcs - preventing Account lockout I have a problem that I'm sure the brainpower on this list can help.We're about to refresh the hardware and upgrade from win2k to XP using an automated build process. Vendor will swap out hardware, RIS a new image down, and SMS will take over to install all the applications needed. These pcsauto login with a useridandlaunch a factory-floor monitoring application. We have several factories to deal with, and currently we maintain hundreds of ids to provide this functionality.By having all these accounts we limit the risk of an account being locked out (has happened before) and preventing crucial monitoring stations to work. The applicationsare read-only to networkresources and are in a very locked down environment. The PCS resideon a Win2ksp4 domain, and the current domain policy locks after x attempts, and resets after xxx minutes. What we would like to do is use two accounts at each factory, but to prevent locking all the PCs at each location, we would need to relax the domain policy of lockouts after xx attempts. Having a smaller number of accounts to manage makes the deployment system much simpler to accomplish. Is this in the realm of possibility without needing to purchase new hardware, for example to create a child domain)? I'm sure these questions may spark some concerns - and I'm interested in this feedback as well. Thanks all! Rob Presson
