Account Disable/Lockout Policy?

Ola:

Just wondering what other people do for an account lockout policy: an policy that either disables or locks out an account after X amount of tries within a given time frame.

Our standard states:

Quote:

---

Objective

Failed access attempts to [our] computing systems indicate potential attacks on the security of these systems. Adequate controls must be in place to ensure that these attacks are not allowed to proceed.

Statement of Standards

Repeated logon failures for a given account will be considered a potential security threat. After five successive password failures, the account involved will be disabled.

---

What our boggle is that we are not sure it would be best to just disable an account after X amount of failed login attempts within X amount of time, or instead lockout the account for 15-30 minutes after X amount of failed login attempts within X amount of time.

I look forward for any ideas on what other organizations do or looking to do for this area.

Gracias.

me and my team just did this.

We looked at it this way. Lockout the account after 5 attemps and than unlock after 999 minutes. We want the users to contact the help desk so we can identify if anyone was trying to hack there account. Were in a Citrix Enviornment so were really vulnerable to programs like TSCrack and such.

<edit>
However teh standard is lockout after 3 and refresh/unlock after 30min
</edit>

I use 4 attempts reset the counter after 1 hour and lock out the user until an admin resets the account so that we can look at the logs and see if the attempt continued after lockout. That way you can identify and verify if the user did it or some automated process.

Err.. I do pretty much the same as above. Lockout after 4 attempts and make user call to get reset.

The school I used to work for made it so you had 3 tries, then every failed attempt after that would increase the time before you could try again. so on the 4th fail you had to wait 15 minutes, the 5th fail was an hour, the 6th fail was permanent so you had to come in to one of the labs with an ID and do a password reset.

XTC46,

That's an interesting solution! Not bad at all! :)
Do you know how they accomplished this?

Thanks!

Ola:

Thanks for the responses - good information.

Also - to better help understand where I am coming from, we have about 30,000 :eek: workstations here within the States and trying to leverage security with functionality so that we can:

1) Cut down on possible attacks
2) Locate those accounts that may be under attack
3) Help educate users to remember their password(s)

Thanks again.

Buenos dias.

I think with 30k workstations, if you do mandatory lock-outs, you're going to be getting a LOT of calls. The time based deal might work better for you, but it all depends on how sensitive you feel your data is. If you do use the time based thing, you'll possibly have a large amount of people who can't work for 30 minutes which could produce a lack of efficiency, but I think thats better than paying tons of password reset HD people.

Quote:

---

you'll possibly have a large amount of people who can't work for 30 minutes which could produce a lack of efficiency, but I think thats better than paying tons of password reset HD people.

---

this is over come by having group leads that can do the password resets, but in my experience they forget their passwords also... and even with the time delay, most people will call anyway. even if you tell them "wait 20 minutes, try again and if it doesnt work call back" they will call in 5 minutes whining.


the way we got around this was having the screen say "you have been temporarily locked out...blah blah blha" and it gave a link to do your password reset (you had to answer "secret questions" to confirm your ID) then it would unlock the account after 5 minutes.


Im not sure what software they used to acomplish this, though. it is implemented at myuhportal.hawaii.edu if you want to email them about it.

Whatever solution you decide upon, you should also discuss with the manager, supervisor of the helpdesk to see how much traffic they are dealing with now, what any change to a standard or policy would be, and even check to see what ideas they may have for account disable/lockout.

With that many workstations, or even more, disabling accounts and having the users calling in and going on tyriads probably would not work; time-based lockouts may work better, but again you may wish to discuss with the help desk as well.