Account Disable/Lockout Policy?
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Account Disable/Lockout Policy?

  1. #1
    Member
    Join Date
    Mar 2005
    Posts
    65

    Account Disable/Lockout Policy?

    Ola:

    Just wondering what other people do for an account lockout policy: an policy that either disables or locks out an account after X amount of tries within a given time frame.

    Our standard states:


    Objective

    Failed access attempts to [our] computing systems indicate potential attacks on the security of these systems. Adequate controls must be in place to ensure that these attacks are not allowed to proceed.

    Statement of Standards

    Repeated logon failures for a given account will be considered a potential security threat. After five successive password failures, the account involved will be disabled.
    What our boggle is that we are not sure it would be best to just disable an account after X amount of failed login attempts within X amount of time, or instead lockout the account for 15-30 minutes after X amount of failed login attempts within X amount of time.

    I look forward for any ideas on what other organizations do or looking to do for this area.

    Gracias.

  2. #2
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    me and my team just did this.

    We looked at it this way. Lockout the account after 5 attemps and than unlock after 999 minutes. We want the users to contact the help desk so we can identify if anyone was trying to hack there account. Were in a Citrix Enviornment so were really vulnerable to programs like TSCrack and such.

    <edit>
    However teh standard is lockout after 3 and refresh/unlock after 30min
    </edit>

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I use 4 attempts reset the counter after 1 hour and lock out the user until an admin resets the account so that we can look at the logs and see if the attempt continued after lockout. That way you can identify and verify if the user did it or some automated process.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Err.. I do pretty much the same as above. Lockout after 4 attempts and make user call to get reset.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    The school I used to work for made it so you had 3 tries, then every failed attempt after that would increase the time before you could try again. so on the 4th fail you had to wait 15 minutes, the 5th fail was an hour, the 6th fail was permanent so you had to come in to one of the labs with an ID and do a password reset.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    157
    XTC46,

    That's an interesting solution! Not bad at all!
    Do you know how they accomplished this?

    Thanks!

  7. #7
    Member
    Join Date
    Mar 2005
    Posts
    65
    Ola:

    Thanks for the responses - good information.

    Also - to better help understand where I am coming from, we have about 30,000 workstations here within the States and trying to leverage security with functionality so that we can:

    1) Cut down on possible attacks
    2) Locate those accounts that may be under attack
    3) Help educate users to remember their password(s)

    Thanks again.

    Buenos dias.

  8. #8
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    I think with 30k workstations, if you do mandatory lock-outs, you're going to be getting a LOT of calls. The time based deal might work better for you, but it all depends on how sensitive you feel your data is. If you do use the time based thing, you'll possibly have a large amount of people who can't work for 30 minutes which could produce a lack of efficiency, but I think thats better than paying tons of password reset HD people.

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    you'll possibly have a large amount of people who can't work for 30 minutes which could produce a lack of efficiency, but I think thats better than paying tons of password reset HD people.
    this is over come by having group leads that can do the password resets, but in my experience they forget their passwords also... and even with the time delay, most people will call anyway. even if you tell them "wait 20 minutes, try again and if it doesnt work call back" they will call in 5 minutes whining.


    the way we got around this was having the screen say "you have been temporarily locked out...blah blah blha" and it gave a link to do your password reset (you had to answer "secret questions" to confirm your ID) then it would unlock the account after 5 minutes.


    Im not sure what software they used to acomplish this, though. it is implemented at myuhportal.hawaii.edu if you want to email them about it.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  10. #10
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    Whatever solution you decide upon, you should also discuss with the manager, supervisor of the helpdesk to see how much traffic they are dealing with now, what any change to a standard or policy would be, and even check to see what ideas they may have for account disable/lockout.

    With that many workstations, or even more, disabling accounts and having the users calling in and going on tyriads probably would not work; time-based lockouts may work better, but again you may wish to discuss with the help desk as well.
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •