Re: 3 Strikes Your Out Password Policy

From: KOCH, Jason (402363@bud.cc.swin.edu.au)
Date: 09/19/02

• Previous message: O'Malley, Patrick PEO EIS CPR / FCBS: "RE: Restricting access to a CD-WR drive on a Win2K Server"
• In reply to: Preston Hillensbeck: "3 Strikes Your Out Password Policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 19 Sep 2002 13:17:35 +1000 (AEST)
From: "KOCH, Jason" <402363@bud.cc.swin.edu.au>
To: Preston Hillensbeck <slightly@datasync.com>

Open gpedit.msc, Local Computer Policy -> Computer Configuration ->
Windows Settings -> Security Settings -> Account Policies -> Account
Lockout Policy -> Reset account lockout counter after

This should do the trick; however it doesn't automatically set it to good
once someone logs on. I imagine the reason it *isn't* automatically set
back to 0 after a successful logon is simply the fact that you can log in
a number of methods at a number of places within the network. Someone may
be trying to guess passwords, and at just the right time, your 'target'
username is logging on - resetting the passwords for the guesser. (kinda
vague explanation ... but i'm sure you get my point).

jasonk

On Wed, 18 Sep 2002, Preston Hillensbeck wrote:

> Our company recently implemented a policy of 3 wrong passwords and you are
> locked out. The question I have is, is there a way to reset the counter
> so that if you type in a wrong password, it will reset your invalid attempts
> back to 0? What is happenening is that people may type in a password wrong
> once, and it keeps on counting down even after they logged in successfully.
> We implemented this with Group Policy on our Windows 2000 Domain Controller.
> If anyone has any info on this, it would be greatly appreciated. Thanks.
>

---

• Previous message: O'Malley, Patrick PEO EIS CPR / FCBS: "RE: Restricting access to a CD-WR drive on a Win2K Server"
• In reply to: Preston Hillensbeck: "3 Strikes Your Out Password Policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Strong passwords and user locking? ... I've been asked to force our users to use strong passwords with user ... which in turn set the duration and Reset Account ... Lockout Counter After to 30 minutes. ... The policy is linked to my OU ... (microsoft.public.windows.server.security) Re: Delegate Control of OU in AD 2008 ... Are the accounts they try to reset the password higher level accounts than themself? ... change passwords, edit account info, disable and enable accounts. ... Manage Group Policy Links ... (microsoft.public.windows.server.active_directory) Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER ... So then the policy is disallowing all login by all users at all machines? ... boots up on cached profile only) The interactive logon problem has applied ... manual security reset. ... If you had not tried the reset we could have pulled you out of this, ... (microsoft.public.win2000.security) Re: Locking down database accounts ... Personally it sounds to me that your company has established a policy and is ... But bottom line if you have to use SQL Server logins and passwords, ... Whether it's an encrypted flat file or an encrypted XML file, ... (microsoft.public.sqlserver.security) RE: policy-based password cracker ... that required at least one upper, one lower and one number in all passwords. ... password checks can be eliminated due to the policy. ... Since the vast majority of the time for a brute-force attack is ... most brute-force attacks are very fast. ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-09