Re: TimeOut Script for OWA

I'm going to go out on the proverbial limb here an offer the suggestion that you cannot reduce the attempts, you can only mitigate the risk that they will be successful. Lowering the account lockout to 10 means that any future attempt to logon will be rejected, even if the correct pass phrase is offered. But, afaik, you will not be able to reduce the number of attempts.

What I do not know, and have not tested, is if unsuccessful attempts above the threshold will result in an event being created.

--
Larry
Please post the resolution to your
issue so that others may benefit.


"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F91E5990-7825-44F7-91EC-7C6C2123355E@xxxxxxxxxxxxxxxx
Apparently it did not work:
Source Event ID Last Occurrence Total Occurrences
Security 529 1/10/2009 7:40 AM 2,040 *


Logon Failure:
Reason: Unknown user name or bad password
User Name: aloha
Domain:
Logon Type: 3
Logon Process: Advapi


--
Regards,
Jamie


"Cliff Galiher" wrote:

Since Merv said his knowledge of group policy is limited, I thought I'd
chime in and confirm his explanation. :) In most "normal" setups, you
don't need to mess with the enforced option. You should not 'enforce' a
policy unless you have a very compelling reason to do so (aka have a very
large organization with multiple sites and forests..) ;)

-Cliff


"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:#5MeQW2cJHA.3520@xxxxxxxxxxxxxxxxxxxxxxx
> GPO Exceptions: Enforce and Block Inheritence
> http://grouppolicy.editme.com/EnforceBlock
>
> My knowledge of Group Policy is limited, but I believe the "Enforced" > flag
> on a GPO overrides any 'conflicting' GPO settings that you might have
> created previously or might create later. This may not be desirable, > so
> the default is to not flag the GPO as "Enforced". As long as the GPO > is
> 'defined' (as it is by default with SBS as witnessed by the existence > of
> the Small Business Server Lockout Policy GPO link), it should be > applied
> to users and/or computers even though it is not flagged as "Enforced".
>
> -- > Merv Porter [SBS-MVP]
> ============================
>
>
> "thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:6E2AD6CA-6753-4FA4-948C-EB0D0C6FC5B3@xxxxxxxxxxxxxxxx
>> Thanks Merv,
>>
>> I changed it from the default of 50 to 10. Oddly there is a place >> lower
>> in
>> the forest where Small Business Server Group Policy shows a four tab >> view
>> of
>> the policy. In the "Scope" tab, there is a place where the word
>> "Enforced"
>> shows up and it lists " as "No" fior enforced. Does this mean that no
>> matter
>> what the policy is, it will not be enforced? It would appear from the
>> log
>> that 50 attempts were made for each user name and the attempts were >> run
>> using
>> about 100 different login names (the last was "aloha" - someone has a
>> sense
>> of humor. I am wondering if the hacker just tries only 50 attempts
>> knowing
>> that the lockout sits at 50 or if the policy was enforced and they
>> actually
>> reached 50 attempts, failed, and started with a new user login?
>>
>> In not, I expect there is a way to enable that enforcement?
>> -- >> Regards,
>> Jamie
>>
>>
>> "Merv Porter [SBS-MVP]" wrote:
>>
>>> You can try modifying your default settings for account lockout...
>>>
>>> +++ Back up your current group policies BEFORE you attempt to modify
>>> anything.
>>> -------------------------------------------------
>>> + To create a backup of all Windows SBS 2003 Group Policy objects
>>> + Click Start, and then click Server Management.
>>> + In the console tree, click Advanced Management, double-click Group
>>> Policy
>>> Management, double-click Forest: <domainname>, double-click >>> domainname,
>>> right-click Group Policy Objects, and then click Back Up All.
>>> + In the Back Up Group Policy Object dialog box:
>>> + Under Location, enter the name of the folder in which you want to
>>> store
>>> the backup of the GPOs.
>>> + Under Description, enter a description (for example, SBS GPOs) to
>>> easily
>>> identify the file that contains the backup.
>>> + Click Backup.
>>> -----------------------------------------------
>>>
>>>
>>> Modify Account Lockout Policies
>>> -----------------------------------------------
>>> NOTE: This will apply to all accounts, and to both internal (LAN) >>> and
>>> external logons. As such, it will not be limited to OWA logins.
>>>
>>> + Log on as a member of the Domain Admins security group.
>>> + Open Server Management.
>>> + In the console tree, click Advanced Management, right-click Group
>>> Policy
>>> Management, and then click Add forest.
>>> + In the Add forest dialog box, enter the domain name. When prompted >>> Do
>>> you
>>> want to add this forest with this domain?, click Yes.
>>> + In the console tree, under Group Policy Management, click
>>> Forest:forestname, click Domains, right-click Small Business Server
>>> Account
>>> Lockout Policy, and then click Edit.
>>> + In Group Policy Object Editor, click Computer Configuration, click
>>> Windows Settings, and then click Security Settings.
>>> + Under Security Settings, click Account Policies, and then click
>>> Account
>>> Lockout Policy.
>>> + In the details pane, double-click each of the following policies, >>> and
>>> modify settings as needed: Account lockout duration, Account lockout
>>> threshold, and Reset account lockout counter after.
>>> + Click Apply, click OK, and then close Group Policy Object Editor.
>>> + Close Group Policy Management.
>>> -----------------------------------------------
>>>
>>> -- >>> Merv Porter [SBS-MVP]
>>> ============================
>>>
>>> "thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:7DBDB3ED-452A-4397-B72A-1E928664375F@xxxxxxxxxxxxxxxx
>>> > Someone figured out a way to hit my Web server logon
>>> > (https://myserver.com/remote) server at a rate of about 2 times per
>>> > second
>>> > this morning. I thought the login was supposed to timeout. Where
>>> > can I
>>> > set
>>> > it so that the login policy is stricter? I see no reason why there
>>> > should
>>> > be
>>> > a need to try to logon more the about 5 times under any one given
>>> > login
>>> > name.
>>> > How can I fix it to work this way?
>>> > -- >>> > Regards,
>>> > Jamie
>>>
>>>
>>>
>
>


.

Relevant Pages

  • Re: TimeOut Script for OWA
    ... Security MVP Dana Epp has developed a two factor authentication that will defeat any amount of password guessing or scripted attempts. ... >> Since Merv said his knowledge of group policy is limited, ... You should not 'enforce'>> a ... >>> on a GPO overrides any 'conflicting' GPO settings that you might ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO not working (yes, another post)
    ... Yeah, I said two things, and technically this shouldn't make a difference, but y'never know....there is no reason to ENFORCE a GPO unless you are trying to override a more specific GPO that would otherwise be applied. ... If (on my client PC) I issue net use... ... Policy MapMHAdrives Windows SBS CSE Policy Windows SBS User ...
    (microsoft.public.windows.server.sbs)
  • Re: Account Lockout Threshold change - Not taking effect
    ... Conficker will also effect the accotun lockout policy. ... The GPO that has the account lockout setting ... if linked at the domain level, ...
    (microsoft.public.windows.server.active_directory)
  • Restrict password policy for admins
    ... Technet recommends to not alter the default Domain policy, ... a new GPO, link it to the domain and enforce it. ... account settings, but do get all other settings we have configured in the new ...
    (microsoft.public.windows.server.active_directory)
  • Re: Policy Hierarchy Question
    ... i.e. the GPO at the top of the list will take precedance over all others. ... > I have it set to 30 minutes in default domain policy but I also want a> select group to have a 10 minute lockout. ... It is set on the domain but the> policy is only readable by the subgroup. ...
    (microsoft.public.win2000.group_policy)
Quantcast