Re: No lockout policy... why not?

Hi Everyone:

While I will agree with all of the above about lockouts and strong passwords
and all the rest, it seems to me that the ultimate vunerabilty in this
senerio is the administrators password.

Unless I have missed something, you can't disable it, you can't lock it out,
and while you can "re label/rename" it, the underlying account is still
there and known to the bad guys.

Seems to me that if one is really concerned about this level of security,
the policy advocated by Leythos and others of having a device in front of
your server(s) that logs and requires authentication is the best one.

Please tell me I have it confused. :-)

Anna Clark


"kj" <kj@xxxxxxxxxxx> wrote in message
news:ux6OiYDjHHA.1260@xxxxxxxxxxxxxxxxxxxxxxx
Dave Nickason [SBS MVP] wrote:
In big organizations, lockout is a prime cause of help desk calls, so
enterprises have a huge cost associated with it. That's the only
valid reason I've ever heard for not using it, and IMO it doesn't
really apply in small businesses. I've always had a lockout policy,
and I only remember one lockout in the last probably 6-7 years.



Some over zealous security minded person try's to implement a policy like
they would on a mainframe without really understanding the Windows C/S
environment.

Lockout policy should deter and delay password cracking attempts and alert
administrators to the activities. It shouldn't lock out the user who
forgets his password. Afterall, how many are going to suddenly remember
the password before calling the help desk or administrator anyway?
It's not going to happen. It's forgot, it needs a reset, and lockout
wouldn't matter anyway, it's a help desk call.

On the other hand, if you are allowed to "guess" as often and as many
times as you like, eventually you'll get in.

--
/kj



.

Relevant Pages

  • Re: LockoutThreshold
    ... > You can if you use something like Virtual PC or Virtual Server or VMWARE. ... Keep in mind the lockout policy is ... Keep in mind the lockout policy is to> slow down hacking attempts on an account. ...
    (microsoft.public.win2000.active_directory)
  • Re: LockoutThreshold
    ... You can if you use something like Virtual PC or Virtual Server or VMWARE. ... a lockout count of 3 is extremely low and will most likely cause more ... can be pretty confident a lockout policy of 15 bads with a reset time of 15 ... >>after 3 bad attempts if I log on as a user in the "Testers" group. ...
    (microsoft.public.win2000.active_directory)
  • RE: 529 Logon Failures - 138 Events
    ... Can I configure a lockout policy for the server itself? ... If I lock the server will I be able to unlock it to do maintenance? ... You should not need to do anything with account lockout - the out-of-box SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: No lockout policy... why not?
    ... valid reason I've ever heard for not using it, and IMO it doesn't ... Lockout policy should deter and delay password cracking attempts and alert ... administrators to the activities. ... it's a help desk call. ...
    (microsoft.public.windows.server.sbs)
  • Re: Deny administrator
    ... You can't restrict the SA account but you could lockout the NT ... How to impede Windows NT Administrators from administering SQL Server ...
    (microsoft.public.sqlserver.security)