Re: No lockout policy... why not?

Oops! Thanks kj

Seems Anna was napping in class when the subject of Administrator security
was discussed. :-(

More research is required. But after a quick review of the literature it is
still not clear that disabling and/or renaming THE Administrator account is
either a workable solution or will do more than slow down a knowledgable bad
guy.

Of course slowing them down is a valuable objective, but an authenticating
firewall ahead of the server, preferably one that logs unsuccsuful attempts
and can do "lockouts" of its own, with entirely different user id's and
passwords would still seem to be the "more secure" solution.

--
Regards:

Anna Clark
Please reply or post the solution to
your issue so that others may benefit.




"kj" <kj@xxxxxxxxxxx> wrote in message
news:eXW6H1EjHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx
Anna Clark wrote:
Hi Everyone:

While I will agree with all of the above about lockouts and strong
passwords and all the rest, it seems to me that the ultimate
vunerabilty in this senerio is the administrators password.

Unless I have missed something, you can't disable it, you can't lock
it out, and while you can "re label/rename" it, the underlying
account is still there and known to the bad guys.

Seems to me that if one is really concerned about this level of
security, the policy advocated by Leythos and others of having a
device in front of your server(s) that logs and requires
authentication is the best one.
Please tell me I have it confused. :-)

Anna Clark



You can disable it and it can be locked out (except at the console). It
clearly is the prime target. Of course *any* account can be used to get in
the 'door' and any account can lead to comprimise of another account with
greater privileges. The old weakest link in the chain thing.

Good practices, diligent monitoring. Defense in depth. Onions (Layers),
not M&M's (hard shells, soft centers).

--
/kj



.

Relevant Pages