Educause Security Discussion mailing list archives
Re: 802.1X password reset issues
From: Brian Epstein <bepstein () IAS EDU>
Date: Wed, 14 Nov 2018 15:58:34 -0500
Hi Jim, Full disclosure, I've not implemented this, but am looking to do so at a future time. Which part of your infrastructure is doing the locking? If it is your directory, and you are using AD, you should be able to set the Password History Check to a higher setting to avoid this exact situation. Then, you would just need some way of identifying users in this situation and reminding them of the offending devices. "Password history check (N-2): Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error." https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10) Thanks, ep On 11/14/2018 03:37 PM, Pardonek, Jim wrote:
We are getting some grumbling from several staff that get into a password lockout condition when changing their twice a year required password. We mostly see this when people have multiple devices connected to the wireless network and they forget one of them and it locks out from re-auth requests or if they don’t change the password for their email client and that locks us out. We have recommended procedures (turn off all devices but one and re-do the password one at a time). We’ve tried to make it less painful by upping the number of failed password attempts before it locks out, but I don’t want to get to a point where we sacrifice security for convenience. Any any of you folks have similar issues and what have you done to make it easier? Thanks, Jim *James Pardonek, MS, CISSP, CEH, GSNA* *Information Security Officer** Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 ** (**: (773) 508-6086* *Loyola University Chicago will never ask you for your username or password.* *For the lastest information security news at Loyola, please follow us online,* *Twitter: @LUCUISO* *Facebook: https://www.facebook.com/lucuiso/* *Our Blog http://blogs.luc.edu/uiso/*
-- Brian Epstein <bepstein () ias edu> +1 609-734-8179 Manager, Network and Security Institute for Advanced Study Key fingerprint = A6F3 9F5A 26C5 5847 79ED C34C C0E5 244A 55CA 2B78
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- 802.1X password reset issues Pardonek, Jim (Nov 14)
- Re: 802.1X password reset issues Davis, Michael (Nov 14)
- Re: 802.1X password reset issues William Clark (Nov 14)
- Re: 802.1X password reset issues Brian Epstein (Nov 14)
- Re: 802.1X password reset issues David Curry (Nov 14)
- Re: 802.1X password reset issues Davis, Michael (Nov 14)