RE: [ActiveDir] Lock-outs after only one attempt...

[Joe]

I have seen many security people who say that 5 is the best and they want 5 including my internal security people. However, the purpose behind the lockout threshhold is to stop people from trying to hack an account with guesses or bruteforce. If you lock out at say 25 and stay locked for an hour that means someone gets 600 guesses a day. Unless you have a most pathetic policy for password size and frequency of change, that shouldn't be enough for people to crack you. If someone feels it is enough, they need to up the password required size and possibly the frequency of change. Also consider turning on complexity rules.   The problem with 5 or less is many. It assumes that the only authentication attempts are direct logon attempts by a real human. This isn't the case because even an interactive  logon will in many cases cause multiple attempts with different security providers. Also some clients like Win9x can send up to 3 bads per single attempt. You also have the cases where you could unsuspend a machine that has 5 or 6 network connections that it tries to reconnect and the password has changed and wham, account locked right away as they all try to reconnect. Finally you get Viruses like MUMU that will slam local admin accounts because it will try to guess like 10-15 or more passwords against every admin ID on a box thereby locking them all out if it doesn't get in.   The lower the threshhold and the longer the lockout period, the more help desk calls you get. Alternatively if you start really raising the threshhold and lowering the period, you should be looking at what methods you have for tracking bad attempts and do event correlation.     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Wednesday, October 15, 2003 5:59 AM To: [EMAIL PROTECTED] One of these days I�ll learn how to proof read for coherency J�  I just read what I sent, doesn�t make much sense.   Windows 2K Domain, Majority of Clients is Windows 2K. Attempts is set <=5,(for obvious reasons I don�t want to say the exact #)   Joe: I thought best practices were to have it set to less than 5?  At least that�s what I remember hearing from our auditors�   I�ll give anything a try to keep this from happening though, just takes it happening to your boss one time before you have to dedicate a whole day on attempting to fix it. J     Next time I hear it reported I�ll use EventCombMT to get more forensic data.  I know I did it once before, and was discouraged quickly by my findings.   I�ll post more when I get a call (probably later today) Thanks for all the suggestions so far!   Thanks,   Raymond   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Tuesday, October 14, 2003 9:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Lock-outs after only one attempt...   they are very probably XP clients. They very likely have "fast user switch" option enabled on the XP. and Raymond has probably set his lockout threshold somewhere < = 5. I wager that this is the problem, barring the obvious multiple wrong password of course.   I know there is a Q article regarding this somewhere on support.microsoft.com. Good luck   Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: Joe Sent: Tue 10/14/2003 6:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Lock-outs after only one attempt... How low is your policy set? If it is 10 or less reconsider. Think about what the lockout policy is in place to avoid and what a good logical number is to use to accomplish that goal.   Are your machines all W2K+ or what are they?   Do you have logging enabled on your DC's and have you chased the event log entries to see how the requests are coming in (i.e. very quickly or spread out or ?).     joe     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Tuesday, October 14, 2003 7:40 PM To: [EMAIL PROTECTED]   Hello All,   We recently implemented the Require Strong Passwords on out WIN2K and it seems that some users get locked out after entering an incorrect password only one time.  (I assure you that I allow more than one mistake; I too am human) This was happening before the change, but I am seeing it more now (harder password's = more mistakes)   The only thing I can think of is that we have multiple remote DCs in a bridged WAN environment, so when someone logs on, it hits a couple of them at the same time and they all count it as an invalid try.  That's my theory anyways, I'm open for suggestions.      Thanks,   Raymond   List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/   List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/