Re: Account Lockout Policies

["Cheek, Leigh" <lcheek () UTK EDU>]

Saburo,

If the lockout duration is set to the Administrator Unlocks (0), then
you set yourself up for a denial of service attack. As an information
system auditor, I use the Center for Internet Security or NIST as my
guides for best practices. 

The Center for Internet Security (www.cisecurity.org) benchmarks
recommends for Windows 2003 server enterprise and legacy computers as
the follows:
2.2.3.1 Account Lockout Duration 15 minutes 
2.2.3.2 Account Lockout Threshold 15 attempts 
2.2.3.3 Reset Account Lockout After 15 minutes 

The benchmark for Specialized Security - Limited Functionality computers
is as the follows: 
2.2.3.1 Account Lockout Duration 15 minutes 
2.2.3.2 Account Lockout Threshold 10 attempts 
2.2.3.3 Reset Account Lockout After 15 minutes 

NIST Windows 2003 security
checklist(http://csrc.nist.gov/checklists/repository/1084.html)
recommends: 
Account Lockout Duration 15 minutes 
Account Lockout Threshold 3 attempts 
Reset Account Lockout After 15 minutes 

Hope this helps. 

Thanks, 
Leigh Cheek, CIA, CISA
Auditor
Audit and Consulting Services
University of Tennessee
149 Conference Center Building
Knoxville, TN 37996-4114
(865) 974-4420
fax (865) 974-6171
lcheek () utk edu



-----Original Message-----
From: Saburo Usami [mailto:UsamiS () SACREDHEART EDU] 
Sent: Tuesday, July 11, 2006 2:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Account Lockout Policies

Sacred Heart University is configuring its Windows 2003 systems to
conform with Best Practices as recommended by an external auditor.  In
addition to complexity requirements, their Best Practices
recommendations include password policies set as follows:
 
- Account Lockout Threshold: 3 Attempts
- Account Lockout Duration: Administrator Unlocks
 
We have two separate problems with this recommendation.
 
1. From an administrative standpoint, we feel that these settings may
actually encourage users (e.g., disgruntled students just prior to
mid-terms/finals) to cause trouble for others on the network by
deliberately shutting their fellow students or instructors out of the
network -- or running scripts to do the same -- and "security by
obscurity" seems like a losing bet in the academic network space.
 
2. From a technical standpoint, Windows 2003 does not allow a
"perpetual" lockout stance.  99,999 is the maximum number of minutes an
account can be locked out
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolo
gies/security/bpactlck.mspx> .  This translates to about 69.44 days,
which is less than a semester and less than a summer break.  Hence, we
can't truly comply with the recommended lockout duration.
 
We would like to conform to the recommendations our auditors have made,
but are having difficulty with this one.  Any suggestions or insights on
your experiences with Account Lockouts and/or utilities that manage this
would be greatly appreciated.
 
Saburo Usami
Director of Networking - Telecomm - IT Security Sacred Heart University