Account Disable/Lockout Policy?

i think you must combine useful, fast and security

so making people wait for 30 minutes before they can log in again is a bad idea

i don't advise doing the 5 tries per minute for example , because a real patient cracker would do prog with that interval and make that program sit in the background of a remote computer he uses :P or of his comuter

so i like to be strict in terms of passwords... 5 tries and you have a problem is a good policy

i suggest u divide ur users into groups, i think a person working in IT should not forget his password like miss shopping, and according to usergroup u define a policy

you can make the "help desk" not made of human, that will increase its capability by lot more
like send reset key to specific mail address....(the traditional procedure )

ask him to log on from his usual computer ( u log in the network card or the IP :P ) and to submit the key from that computer [ i can immagine some ways for you if u want :P ]

i agree with you about Educating users to remember and have secure passwords

You don't give much information on how your network is set up, what your password policies are or how secure your network needs to be so this may or may not be helpful.
I work in a secure environment and my location uses a combination of things. We have our workstations set to lock users out after 3 failed logons. They reset after a 15 minute wait.

Having said this, we also enforce a strict password policy that forces a person to have a password of 8 characters (that has to have at least one number, one capital letter, one lower case letter and one special character). Users have to change their passwords every 90 days and we enforce a password history of the last 24 passwords so you cannot use them again. Also, if you change your password, you have to wait 1 day before changing it again (unless you have a systems admin force the change).

We also enforce a policy that audits failures of account logon events so we can see which accounts are getting hit. We've removed unnecessary groups and accounts from even being able to have access to the machines and no one other than admins have local access to the machines. If a user wants to use the machine, they have to log onto the domain (they cannot log on locally) with a valid domain account.

This information may be more than what you were looking for but at least it might give you some ideas. I hope it helps.

I think there is another important point here, however. You mentioned that you want to lock out the accounts so you can be alerted in case of account hacks. This is great in principle, but if you don't have staffing within your security group to track down every phone call to the help desk, are you really accomplishing the goal of having knowledge of potential attackers?

Ola:

Again, my apologies in advance for doing this, posting to an older thread, however we just have had a development in this Account Disable/Lockout Policy that I believe I need the community's advice on - and I did not think that creating a new thread would have been appropriate (however, if I am wrong, please let me know). A new Account Disable/Lockout Policy is being put forth - still in draft mode. Here is the current one again for ease of reading:

Quote:

---

Objective

Failed access attempts to [our] computing systems indicate potential attacks on the security of these systems. Adequate controls must be in place to ensure that these attacks are not allowed to proceed.

Statement of Standards

Repeated logon failures for a given account will be considered a potential security threat. After five successive password failures, the account involved will be disabled.

---

And because our organization is deploying Active Directory, we found out that the above standard causes some issues with AD - so one of our security personnel re-wrote the standard (this person is new to the job and came from... the AD implementation project!) to be more "AD friendly":

Quote:

---

Objective
Failed access attempts to [Company] computing systems indicate potential attacks on the security of these systems. Adequate controls must be in place to ensure that these attacks are not allowed to proceed. This document describes the minimum standards for managing repeated and consecutive logon failures on [Company] systems, in support of the [Company] Electronic Resources Policy.

Statement of Standards
Consecutive logon failures for a given account will be considered a potential security threat. Applications, databases and architectures are required to set account lockout to a maximum of 15 failed attempts within a 15-minute timeframe.

In order to reduce the documented exposure to “denial of service attacks”, logon failure counters may be reset to zero (0) once a minimum of 15 minutes have elapsed since the last logon attempt was made on the given account.

---

This does not seem to work for me as an auditor, simply because it provides specialization for AD, while negating security in general and in Windows, not to mention other OS/OE - like *nix variants, Linux, OS/390 and the like.

I asked a fellow auditor about the issue with AD and our current account standard. He theorizes that:

Quote:

---

There are multiple threads in AD. When you login to one thing, you may be logging into up to 7 (or more I think). Therefore if it is set at 5, one invalid logon could lock out an account

---

Is this true? After he stated the above, he also stated whether that was true, so both of us are curious.

There is a huge e-mail thread going on internally about this proposed standard change. The auditor I mentioned above is already in the frackas, however, I think I need to jump in as the standard will not work as written. The author is making a general concession for one application and sacrificing security in the process. Thoughts on this? Let me of questions and I will answer as best as I can.

In advance -

Gracias.

Hi thwhomp ,

Well the usual standards over here for high security government and military establishments is three goes and your account is locked. It needs to be reset.

It sounds to me as if your active directory is not set up properly? Like you should be forced to establish your credentials and bonafides BEFORE you are allowed anywhere near production systems.

You may then have to log into other systems such as Citrix, Payroll, Finance, HR etc. to do your job.....these could be located anywhere in the country. The primary requirement is to identify yourself to your local network before you open any threads. When you attempt to log into one of those sensitive applications, and fail, you should also be locked out............."the enemy within"????

just my thoughts

:)

Ola nihil:

You're right on the "three goes and account is locked" theory I believe. Many of us arguing in the thread are stating that. We have been told however, at least for AD, that the 15 is their threshold. I am currently looking to confirm or disconfirm that.

Also - yes many of our users would need to login to other machines/shares and as my fellow auditor stated, one bad login in that case would case an account lockout - however that too needs to be confirmed or disconfirmed.

I will also bring up your point to the e-mail thread of:

Quote:

---

It sounds to me as if your active directory is not set up properly? Like you should be forced to establish your credentials and bonafides BEFORE you are allowed anywhere near production systems.

---

As a counter to my second paragraph point.

I will post more once I learn more. Thanks.

Bueno.

Hi thwhomp

I will try to give you a better explanation, as it may help your case :)

Say that I go onto one of the sites (my usual one) I log in to the local network, and that takes me to the intranet, internet, departmental servers, my network files.........development project stuff?......I have three goes.

Then, I need to support Finance...............I need to go to their server..............I get three login attempts, then maybe it is security, then Human Resources...............it is the same story............three goes or I am locked out.

Again, I need to provide remote support to another site (hundreds of miles away)................I click on the icon and it takes me to the site.............I am then challenged for my ID and login..........the rules are the same. :) I get to my usual stuff then specifically granted authorities for that site.

Now, 5 x 3 I can handle, but not 15 all in one go.

Hope that clarifies my views


EDIT: This article may be useful, sorry it is rather long.

http://www.microsoft.com/technet/sec.../xpsgch02.mspx

:)

hi thwwomp, need some more data:

What is the compexity requirement of your passwords? Sounds like your AD integrator is a lot like me. I had a policy with NO lockout restrictions among other very loose controls since the passwords are complex and there is a greater danger of infiltration through password stealing versus an automated process. But thats another thread and I lost a great battle with government regulators. Even though piles of data and examples proved my point :D

So what are the complexity requirements? The real issue here is protecting data integrity. And we can build a discussion from there.

//EDIT oh and are there additional access controls outside of active directory? For example, do they have another layer of authentication once the user is logged into the network? That is very important to know.