> From: Brian Steele [mailto:[EMAIL PROTECTED]]
>
> >This is not a security bug... this is by design... else an
> attacker could
> >simply go through every account and type in 4 or 6 wrong
> passwords and you
> >probably wouldn't be able to log on to your NT systems even
> if you had the
> >right password.
>
> IMO, this is one thing that I DON'T like about NT. You're basically
> substituting one security problem for another. By NOT allowing the
> Administrator account to be locked out, an NT box is open to
> a brute-force
> password attack against that account. Of course many admins
> get around this
> problem by simply disabling the Administrator account and
> using another
> account for administration tasks.
>
> VMS tackles this problem quite cleverly, I think. Not only
> does it lock out
> accounts (including the SYSTEM account - except if the logon
> is taking place
> on the operator console), but it will lock out the remote
> device if many
> invalid login attempts start to originate from that device.
Which is why you can set up the Administrator account on NT to only allow
logins from the console (ie not over the network). That way you have the
backup of being able to log in through the console if you admin accounts get
locked out.
John Wiltshire
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
