Re: No lockout policy... why not?



Microsoft asked and this was in the list, 0.02% wanted it built in, so it wasn't... ;-)

Also Dave comment hits the nail on the head, when I was at large company 30% of calls was cos users forgot their password, always happened the week during password change policy... ;-) They changed it the day before and you will be surprised how many forgot !






"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uMvWZvCjHHA.492@xxxxxxxxxxxxxxxxxxxxxxx
In big organizations, lockout is a prime cause of help desk calls, so enterprises have a huge cost associated with it. That's the only valid reason I've ever heard for not using it, and IMO it doesn't really apply in small businesses. I've always had a lockout policy, and I only remember one lockout in the last probably 6-7 years.


"kj" <kj@xxxxxxxxxxx> wrote in message news:u0q7xnCjHHA.3472@xxxxxxxxxxxxxxxxxxxxxxx
Ian wrote:
Does anyone know why SBS 2003 comes with no bad-password lockout
policy by default?

I would have thought this was one of the most fundamental
good-security practices, especially for a system which is actually
designed for external access. Without this, I would have thought that
no matter how complex a password is, a 'bot can keep trying for days,
weeks, months until it hits the right password.

Yet, at the same time users are forced to set passwords of an insane
complexity level, which will cause no end of trouble for unskilled
small-business admins.

The two policies just don't add up.

I for one agree with you and not only set one up custom for each client, I add a monitoring alert for locked accounts and a bad password threshold alert as well.

...just don't get to aggresive with the lockout thresholds and fairly liberal with a lockout period and a reset policy.


--
/kj




.