Re: No lockout policy... why not?

The biggest thing that relieves my anxiety about remote access attacks is
two-factor authentication. This applies to all of the accounts, not just
Administrator. I'm currently using Cryptocard, but a more appropriate
SBS-sized solution has been released since I bought Cryptocard. Without the
authentication token and PIN, you can't even get to a password prompt to
attempt to use a Windows password.

See http://www.scorpionsoft.com/ or come to Jeff Middleton's NOLA conference
to check this out for yourself http://www.conference2007.sbsmigration.com/


"kj" <kj@xxxxxxxxxxx> wrote in message
news:uKrFO5NjHHA.492@xxxxxxxxxxxxxxxxxxxxxxx
Anna Clark wrote:
Oops! Thanks kj

Seems Anna was napping in class when the subject of Administrator
security was discussed. :-(

More research is required. But after a quick review of the
literature it is still not clear that disabling and/or renaming THE
Administrator account is either a workable solution or will do more
than slow down a knowledgable bad guy.

Of course slowing them down is a valuable objective, but an
authenticating firewall ahead of the server, preferably one that logs
unsuccsuful attempts and can do "lockouts" of its own, with entirely
different user id's and passwords would still seem to be the "more
secure" solution.

No, there is no one thing that can be done to make you 'secure'. The
administrator account is just a primary target. If you audit any of your
sites you'll find (or should) at least one other account that if
compromised would be a bad thing.

All of these are good practices at building depth into the site security.
Focusing on the firewall isn't all that should be done. The (US) FBI
reports 75% of security breaches are from inside the firewall. Consider
for just a momement the new generation of cell phones some of which have
built in WiFi. How many of these will be walking in the doors of your
sites soon?

--
/kj



.

Relevant Pages

  • Re: Restricting internet access completely to users/groups
    ... Realistically you can not restrict an administrator account as ... know how to restrict such a user would be to use a firewall that can be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Firewall and group policy mess !
    ... When I click the firewall option to turn it on as prompted by the security ... netowrk administrator is using Group Policy to control these settings. ... an 'administrator' account. ... up with a limited user account so that you couldn't accidentally ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: seeing another computer on a LAN
    ... Both machines are XP Pro ... so I'm hoping to use Administrator on both. ... account and all will be well, but I'm concerned re whether the Administrator ... caused by 1) a misconfigured firewall; ...
    (microsoft.public.windowsxp.network_web)
  • Re: hacking from Terminal services or some other means
    ... If you insist on staying with a personal firewall, ... I would still enable an account lockout policy and change ... the name of the administrator account. ... > Our mail server is running Windows 2000 server. ...
    (microsoft.public.win2000.security)
  • Re: Securing against an internet based intrusion
    ... I don't know whether account lockout will do anything in XP, ... modem/router you use - even if you use the XP firewall as well. ... We have a single administrator, changed the name to something obscure ... wireless connected laptop is also turned off. ...
    (microsoft.public.windowsxp.security_admin)