Educause Security Discussion mailing list archives
Re: Account Lockout Policies
From: "Cheek, Leigh" <lcheek () UTK EDU>
Date: Tue, 11 Jul 2006 15:45:23 -0400
Saburo, If the lockout duration is set to the Administrator Unlocks (0), then you set yourself up for a denial of service attack. As an information system auditor, I use the Center for Internet Security or NIST as my guides for best practices. The Center for Internet Security (www.cisecurity.org) benchmarks recommends for Windows 2003 server enterprise and legacy computers as the follows: 2.2.3.1 Account Lockout Duration 15 minutes 2.2.3.2 Account Lockout Threshold 15 attempts 2.2.3.3 Reset Account Lockout After 15 minutes The benchmark for Specialized Security - Limited Functionality computers is as the follows: 2.2.3.1 Account Lockout Duration 15 minutes 2.2.3.2 Account Lockout Threshold 10 attempts 2.2.3.3 Reset Account Lockout After 15 minutes NIST Windows 2003 security checklist(http://csrc.nist.gov/checklists/repository/1084.html) recommends: Account Lockout Duration 15 minutes Account Lockout Threshold 3 attempts Reset Account Lockout After 15 minutes Hope this helps. Thanks, Leigh Cheek, CIA, CISA Auditor Audit and Consulting Services University of Tennessee 149 Conference Center Building Knoxville, TN 37996-4114 (865) 974-4420 fax (865) 974-6171 lcheek () utk edu -----Original Message----- From: Saburo Usami [mailto:UsamiS () SACREDHEART EDU] Sent: Tuesday, July 11, 2006 2:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Account Lockout Policies Sacred Heart University is configuring its Windows 2003 systems to conform with Best Practices as recommended by an external auditor. In addition to complexity requirements, their Best Practices recommendations include password policies set as follows: - Account Lockout Threshold: 3 Attempts - Account Lockout Duration: Administrator Unlocks We have two separate problems with this recommendation. 1. From an administrative standpoint, we feel that these settings may actually encourage users (e.g., disgruntled students just prior to mid-terms/finals) to cause trouble for others on the network by deliberately shutting their fellow students or instructors out of the network -- or running scripts to do the same -- and "security by obscurity" seems like a losing bet in the academic network space. 2. From a technical standpoint, Windows 2003 does not allow a "perpetual" lockout stance. 99,999 is the maximum number of minutes an account can be locked out <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolo gies/security/bpactlck.mspx> . This translates to about 69.44 days, which is less than a semester and less than a summer break. Hence, we can't truly comply with the recommended lockout duration. We would like to conform to the recommendations our auditors have made, but are having difficulty with this one. Any suggestions or insights on your experiences with Account Lockouts and/or utilities that manage this would be greatly appreciated. Saburo Usami Director of Networking - Telecomm - IT Security Sacred Heart University
Current thread:
- Account Lockout Policies Saburo Usami (Jul 11)
- <Possible follow-ups>
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)
- Re: Account Lockout Policies Gary Flynn (Jul 13)
- Re: Account Lockout Policies Jonny Sweeny (Jul 14)
(Thread continues...)