Re: account locking after 3 unsuccessful login attempts

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "ZVR" <no_spam_ever@xxxxxx>
Date: Fri, 5 May 2006 10:21:17 -0400

account by a brute-force attack. Your help desk will have much work to do
by
unlocking many accounts.
Isn't that a security issue ?

Not at all. A security issue would be if you let the brute force attacker to
successfully guess the password on one of those accounts through repeated
attempts. Then they can use that for privilege escalation attacks etc.

What you are describing can be a management nightmare, not a security issue.
If you are so concerned about such DoS (denial of service) attacks against
your domain accounts, maybe you should consider separate accounts in AD for
Exchange users - they will log onto the network using one account, and log
onto Exchange with another account.

Also keep in mind that you can configure your security policies to
automatically re-enable locked accounts after a certain period of time of
your choice.

Last but not least you can create a self-service portal/web site where users
can reset their passwords or re-enable their accounts themselves. There are
many products out there that can assist with this and take care of the
"identity confirmation" part as well.

Virgil

.

References:
- Re: account locking after 3 unsuccessful login attempts
  - From: ZVR
- Re: account locking after 3 unsuccessful login attempts
  - From: ZVR

Prev by Date: Re: TS disconnects after minimized a couple minutes
Next by Date: Re: TS disconnects after minimized a couple minutes
Previous by thread: Re: account locking after 3 unsuccessful login attempts
Next by thread: Re: Multiple WAN interfaces
Index(es):
- Date
- Thread

Relevant Pages

Re: How effective is a Limited User Account?
... Then there is software where the security holes are actually features - see ... attacks, and other attacks. ... bypassing limited user ... Limited User Accounts are very effective in ...
(microsoft.public.windowsxp.security_admin)
Re: Integrated security - why not?
... Let me explain why we seldom use Integrated Security for Internet asp.net ... how could we setup accounts for them? ... !server to the public network with services such as SQL Server (remember SQL ... The DC at the ISP is not for our own use. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: absolutepoker news
... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
(rec.gambling.poker)
Re: absolutepoker news
... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
(rec.gambling.poker)
Choosing secure passwords - Feedback solicited
... Choosing secure passwords is the most important thing you can do to ... secure your accounts and avoid the headaches of a security breach. ... that will help you remember the PIN. ...
(comp.security.misc)