Security Basics mailing list archives
Re: Logon Failure Compliance
From: krymson () gmail com
Date: 11 Dec 2007 17:19:16 -0000
If I may ask, what is the policy statement these managers are supposed to be complying with? Getting someone (management) to care about various technical events is maybe our hardest challenge, and part of the balance between security and usability (or security energy vs energy spent on their actual job duties). You can track these things, and let them know that John Doe had 7 logon failures in a row, but I would bet most people just don't care. And you can't necessarily make them care. 1) Put your issues into a ticket tracking system. This way you'll have logged the incidents, and if they don't respond or do anything, you'll at least CYA. 2) Force users to request support if they lock themselves out due to logon failures, by not expiring the lockouts. This forces a ticket to be opened, pretty much, and allows you to explain the needs/causes as you or your staff unlock the account. 3) Keep track in your recording or tickets what account was failing and the IP/system that was trying to log into the account. If you have DHCP in your network, as soon as possible verify the system with that IP at that moment. If I (do or try to) log into John Doe's account from my machine, that should be a red flag, depending on your security policies. If this happens for a few days every 60 days, this might indicate an employee is using someone else's account and doesn't yet have the newly changed password...of course, it might just mean someone is putting in their old one! <- snip -> Im looking for how others monitor and follow up on domain account logon failures. The reason being, I'd think there has to be a better way of doing it than what we currently have in place. I have the reporting part together, but its the tracking, manager follow up, and keeping on the management when they dont follow up that is causing problems. I invite ideas from everyone, even software vendors out there, this is a mess! Thanks!
Current thread:
- Logon Failure Compliance xelerated (Dec 10)
- <Possible follow-ups>
- Re: Logon Failure Compliance krymson (Dec 12)