Thank Ed and Michael. Have either of you heard of something that locks out the user per server or per OU instead of the whole domain. I know that probably isn't possible but I needed to ask. Michael, our auditor is not a big fan of the complex password requirements that is built into AD. He is in favor of something more robust that can block dictionary words etc. Has anyone used a third party app like SpecOps Password Policy http://www.specopssoft.com/products/specops-password-policy ? It looks like a nice product.
On Tue, Sep 24, 2013 at 4:00 PM, Michael B. Smith <[email protected]>wrote: > Microsoft no longer recommends using account lockout policies, instead > requiring complex passwords.**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ziots, Edward > *Sent:* Tuesday, September 24, 2013 2:43 PM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] PCI compliance and account lockout policies**** > > ** ** > > Actually answered my own question: PCI DSS 2.0 documents. **** > > *8.5.13* Limit repeated access attempts by locking out the user ID after > not more than six attempts. (So asking for 3 attempts and 30 mins, abeit a > little stringent is more than what the specification is asking which is > no-more than six attempts). **** > > * ***** > > *But also note the following:***** > > *8.2* In addition to assigning a unique ID*, *employ at least one of the > following methods to authenticate all users: > § Something you know, such as a password or passphrase > § Something you have, such as a token device or smart card > § Something you are, such as a biometric**** > > * ***** > > *So without assuming anything are those whom would have access to the PCI > environment have the following:***** > > ***1) ***Unique ID’s**** > > ***2) ***Two factor Authentication. **** > > **** > > Note this does not take in effect any service accounts that might be used. > **** > > **** > > HTH**** > > Z**** > > **** > > **** > > **** > > Edward E. Ziots, CISSP, CISA, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > Work:401-255-2497**** > > **** > > **** > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you.**** > > *[image: Description: Description: Lifespan]***** > > **** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Ziots, Edward > *Sent:* Tuesday, September 24, 2013 1:52 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] PCI compliance and account lockout policies**** > > **** > > MY question is which section in PCI explicitly states you need to use > account lockout for compliance aspect. You are right there is a legitimate > risk of having your accounts locked out, causing a DOS, but also the DOS > itself would be pretty noisy and you should be able to detect that in your > incident response measures. **** > > **** > > Also if you are using long and complex passwords, its going to be pretty > hard to bruteforce guess the password. (Now if they get the hash to the > account then that is another story)**** > > **** > > Z**** > > **** > > Edward E. Ziots, CISSP, CISA, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > Work:401-255-2497**** > > **** > > **** > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you.**** > > *[image: Description: Description: Lifespan]***** > > **** > > **** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Eric Wittersheim > *Sent:* Tuesday, September 24, 2013 1:20 PM > *To:* [email protected] > *Subject:* [NTSysADM] PCI compliance and account lockout policies**** > > **** > > I'm wondering what you all are using for your account lockout policy if > you are PCI compliant or something similar. Our auditors are requesting > account lock out after 3 attempts for a minimum duration of 30 > minutes. Our concern is what happens if we are brute forced and all of our > users are locked out. We already have very strict firewall policies in > place and our network is segmented as well but you never know. Do any of > you use any tools that might help mitigate damage that can occur with a > lockout policy in place? **** > > **** > > Thank you,**** > > **** > > Eric**** >
<<image001.jpg>>
