Account lockout is a common DOS measure, if you can't crack the password, you can definitely cause a DOS of many accounts on a password cracking attempt.
A more effective attack is to break into 1 system dump the local system hashes, use Opcrack to get those passwords and then try those accounts against other systems, escalate privilege and move up the food chain to owning the network. Z -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Sunday, December 23, 2007 11:00 PM To: NT System Admin Issues Subject: RE: Audit recommendation _______________________________________ From: Ben Scott [EMAIL PROTECTED] Subject: Re: Audit recommendation On Dec 22, 2007 7:26 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > Fast brute force can be simply defeated by having long and/or > > complex passwords and/or account lockout ... > > Brute force attacks can be effective against even long passwords, Really? How long do you think it woudl take you to brute force a 15 character, complex, password, over FTP? Even at 1000 login attempts per second, you'd be spending many hundreds of years. > and the problem with account lockout is that it also locks out the > legitimate users. So your objections have issues, too. Which is why i suggested a 1 minute lock out, every 100 consequtive failed login attempts. Most legitimate users either (a) can get this password correct within 100 guesses -or- (b) give up and called the Helpdesk before that point in time. And even if they do manage to lockout their account, it's only for 1 minute. Which usually isn't an issue for a legitimate user. > > I'd rather Microsoft concentrate on other, new, functionality that we need ... > > Given that this isn't exactly rocket science to implement (maybe a > few dozen lines of code in C), and Microsoft isn't exactly hurting for > engineering budget, I think it's reasonable to ask for both. Total effort is more than writing a few lines of code (someone has to do the documentation, it needs to work other APIs, ISVs would need to be notified, SDKs/documentation would need to be updated, regression tests and threat models written and tested etc) I still don't see the benefit of this technology. So, I'd rather we had more useful stuff. Cheers Ken ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
