Our Microsoft guys onsite this week for an AD evaluation said the exact same thing about lockouts - "all you are really guaranteeing is a DoS and not adding any protection if you have sufficient password complexity, history, etc"
Dave From: Andrew S. Baker [mailto:[email protected]] Sent: Thursday, June 14, 2012 6:52 AM To: NT System Admin Issues Subject: Re: What is your take on this (built-in admin password and account lockout) Account lockouts are an interesting thing... :) You can create a self-inflicted DoS on your environment with them. Or, you can give people unlimited attempts to attack your passwords remotely. I opt for password lockouts of limited duration (5 or 10 minutes), which are good enough to interfere with automated attacks and discourage manual brute-force attacks. And, no, you should not be using the local administrator account. :) Setting the password to blank is actually a good idea, as it is easier to some of the other ways that you could manipulate that account. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Thu, Jun 14, 2012 at 9:05 AM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: One of our VP's just ran across this article and is asking for my input: http://technet.microsoft.com/en-us/library/cc512606.aspx Which seems to be recommending two things: Leave the built-in administrator password blank There is no need for account lockout to be enabled I disagree with both assumptions. I also find it odd that this is a MS recommendation. I'd like to hear others thoughts on these comments. Thanks, Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
