Brian Steele wrote:
>
> >This is not a security bug... this is by design... else an attacker could
> >simply go through every account and type in 4 or 6 wrong passwords and you
> >probably wouldn't be able to log on to your NT systems even if you had the
> >right password.
>
> IMO, this is one thing that I DON'T like about NT. You're basically
> substituting one security problem for another. By NOT allowing the
> Administrator account to be locked out, an NT box is open to a brute-force
> password attack against that account. Of course many admins get around this
> problem by simply disabling the Administrator account and using another
> account for administration tasks.
Or, simply change Administrator's logon rights so the account can only
logon from the console. This leaves the account active in case you need
to get in for an emergency, but keeps people from beating on it over the
network.
You can then use a combination of NTLast (http://www.ntobjectives.com/)
and Blat (http://www.developtech.co.uk/docs/blat.htm) running as AT
processes to notify you if someone tickles the account.
Works well for me, ;)
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
