Password Settings Objects (PSOs) were introduced as of DFL/FFL Windows Server 2008. This allows you to control the users involved in a very granular manner.
I have never used the particular product you mention, but a number of companies produce GINA/Custom Policy generation replacements. I can only recommend that you test each carefully. They modify a system-level component on your domain controllers, and should it break - you can't sign in. From: [email protected] [mailto:[email protected]] On Behalf Of Eric Wittersheim Sent: Tuesday, September 24, 2013 5:10 PM To: [email protected] Subject: Re: [NTSysADM] PCI compliance and account lockout policies Thank Ed and Michael. Have either of you heard of something that locks out the user per server or per OU instead of the whole domain. I know that probably isn't possible but I needed to ask. Michael, our auditor is not a big fan of the complex password requirements that is built into AD. He is in favor of something more robust that can block dictionary words etc. Has anyone used a third party app like SpecOps Password Policy http://www.specopssoft.com/products/specops-password-policy ? It looks like a nice product. On Tue, Sep 24, 2013 at 4:00 PM, Michael B. Smith <[email protected]<mailto:[email protected]>> wrote: Microsoft no longer recommends using account lockout policies, instead requiring complex passwords. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ziots, Edward Sent: Tuesday, September 24, 2013 2:43 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] PCI compliance and account lockout policies Actually answered my own question: PCI DSS 2.0 documents. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. (So asking for 3 attempts and 30 mins, abeit a little stringent is more than what the specification is asking which is no-more than six attempts). But also note the following: 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: * Something you know, such as a password or passphrase * Something you have, such as a token device or smart card * Something you are, such as a biometric So without assuming anything are those whom would have access to the PCI environment have the following: 1) Unique ID's 2) Two factor Authentication. Note this does not take in effect any service accounts that might be used. HTH Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497<tel:401-255-2497> This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Tuesday, September 24, 2013 1:52 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] PCI compliance and account lockout policies MY question is which section in PCI explicitly states you need to use account lockout for compliance aspect. You are right there is a legitimate risk of having your accounts locked out, causing a DOS, but also the DOS itself would be pretty noisy and you should be able to detect that in your incident response measures. Also if you are using long and complex passwords, its going to be pretty hard to bruteforce guess the password. (Now if they get the hash to the account then that is another story) Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497<tel:401-255-2497> This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Eric Wittersheim Sent: Tuesday, September 24, 2013 1:20 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] PCI compliance and account lockout policies I'm wondering what you all are using for your account lockout policy if you are PCI compliant or something similar. Our auditors are requesting account lock out after 3 attempts for a minimum duration of 30 minutes. Our concern is what happens if we are brute forced and all of our users are locked out. We already have very strict firewall policies in place and our network is segmented as well but you never know. Do any of you use any tools that might help mitigate damage that can occur with a lockout policy in place? Thank you, Eric
<<inline: image001.jpg>>
