Re: No lockout policy... why not?

Hi Dave:

Thanks for the link. One more arrow in the old IT quiver.

Looks like a nice product. Shame they don't give you any idea of what it
costs (that I could find) before asking for your credit card info. I for
one don't like to fill out forms unless I have some appreciation for the
amount of money I am about to spend.

Anna

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e$rqwQOjHHA.392@xxxxxxxxxxxxxxxxxxxxxxx
The biggest thing that relieves my anxiety about remote access attacks is
two-factor authentication. This applies to all of the accounts, not just
Administrator. I'm currently using Cryptocard, but a more appropriate
SBS-sized solution has been released since I bought Cryptocard. Without
the authentication token and PIN, you can't even get to a password prompt
to attempt to use a Windows password.

See http://www.scorpionsoft.com/ or come to Jeff Middleton's NOLA
conference to check this out for yourself
http://www.conference2007.sbsmigration.com/


"kj" <kj@xxxxxxxxxxx> wrote in message
news:uKrFO5NjHHA.492@xxxxxxxxxxxxxxxxxxxxxxx
Anna Clark wrote:
Oops! Thanks kj

Seems Anna was napping in class when the subject of Administrator
security was discussed. :-(

More research is required. But after a quick review of the
literature it is still not clear that disabling and/or renaming THE
Administrator account is either a workable solution or will do more
than slow down a knowledgable bad guy.

Of course slowing them down is a valuable objective, but an
authenticating firewall ahead of the server, preferably one that logs
unsuccsuful attempts and can do "lockouts" of its own, with entirely
different user id's and passwords would still seem to be the "more
secure" solution.

No, there is no one thing that can be done to make you 'secure'. The
administrator account is just a primary target. If you audit any of your
sites you'll find (or should) at least one other account that if
compromised would be a bad thing.

All of these are good practices at building depth into the site
security. Focusing on the firewall isn't all that should be done. The
(US) FBI reports 75% of security breaches are from inside the firewall.
Consider for just a momement the new generation of cell phones some of
which have built in WiFi. How many of these will be walking in the doors
of your sites soon?

--
/kj





.

Relevant Pages

  • Re: need help to answer firewall question......
    ... Checkpoint is a fine firewall and supports a fairly large number of ... authentication methods, so if Checkpoint can't do what your boss is asking ... Increasing security is a tradeoff with reducing convenience and in some ... The firewall does "authenticate" successful connections to your servers by ...
    (comp.security.firewalls)
  • Re: Anonymous access Vulnerabilities
    ... NTLM vs Anonymous access because we need to have a company standard regarding ... "what method of authentication we need to utilize," and why we want to use it ... > security system), or you can use HTTP based authentication (Kerberos, NTLM, ... > firewall) can not connect. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Wrong subject
    ... If you have a firewall, it's possible a setting in the firewall is the ... Make sure you are in an administrator account, ... If none of the above applies, open Internet Explorer, go to Tools, select ... go to the security tab and try lowering your security ...
    (microsoft.public.windowsxp.accessibility)
  • Re: Anonymous access Vulnerabilities
    ... It's a site that allows anonymous access. ... own" (e.g. authentication where a user types a username/password into a HTML ... firewall) can not connect. ... allowing "anonymous access" isn't a security risk per se. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Renaming Administrator account
    ... > Is changing the Administrator account name really worthwhile or not? ... I would imagine that the lockout is based on the SID rather than ... It is security through obscurity - sorry to repeat old material, ...
    (Focus-Microsoft)