Re: No lockout policy... why not?



Microsoft asked and this was in the list, 0.02% wanted it built in, so it wasn't... ;-)

Also Dave comment hits the nail on the head, when I was at large company 30% of calls was cos users forgot their password, always happened the week during password change policy... ;-) They changed it the day before and you will be surprised how many forgot !






"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uMvWZvCjHHA.492@xxxxxxxxxxxxxxxxxxxxxxx
In big organizations, lockout is a prime cause of help desk calls, so enterprises have a huge cost associated with it. That's the only valid reason I've ever heard for not using it, and IMO it doesn't really apply in small businesses. I've always had a lockout policy, and I only remember one lockout in the last probably 6-7 years.


"kj" <kj@xxxxxxxxxxx> wrote in message news:u0q7xnCjHHA.3472@xxxxxxxxxxxxxxxxxxxxxxx
Ian wrote:
Does anyone know why SBS 2003 comes with no bad-password lockout
policy by default?

I would have thought this was one of the most fundamental
good-security practices, especially for a system which is actually
designed for external access. Without this, I would have thought that
no matter how complex a password is, a 'bot can keep trying for days,
weeks, months until it hits the right password.

Yet, at the same time users are forced to set passwords of an insane
complexity level, which will cause no end of trouble for unskilled
small-business admins.

The two policies just don't add up.

I for one agree with you and not only set one up custom for each client, I add a monitoring alert for locked accounts and a bad password threshold alert as well.

...just don't get to aggresive with the lockout thresholds and fairly liberal with a lockout period and a reset policy.


--
/kj




.



Relevant Pages

  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... To find the default domain policy settings, ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)
  • Re: Service Accounts & Account Lock out Policy
    ... Also I would say that 5 bads is extremely low and will likely be counterproductive and cause you more issues than it is worth. ... If you set the policy as low as 25 with a five minute lockout reset this should be more than adequate to prevent brute force attacks and not completely piss off your users when they fat finger. ... I don't want to this policy to apply to the Service accounts used by the applications as it will lock-out the service account and will stop it. ...
    (microsoft.public.security)
  • Re: TimeOut Script for OWA
    ... Lowering the account lockout to 10 means that any future attempt to logon will be rejected, even if the correct pass phrase is offered. ... > GPO Exceptions: Enforce and Block Inheritence ... > My knowledge of Group Policy is limited, but I believe the "Enforced"> flag ...
    (microsoft.public.windows.server.sbs)
  • Re: account lockout issues...
    ... The fact that you can edit lockout policies in the TS box's Local Security ... Policy indicates that your domain policy is not being applied to that ... full site search of microsoft.com for "Account Passwords and Policies" ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: Local security getting overwritten
    ... That hits the root of my question as to whether it would work to set the ... global policy instead of just that system's local policy. ... change the LSA setting on the DC. ...
    (microsoft.public.platformsdk.security)