Re: limit the maximum time allowed for a log-in attempt

From: Robert Moir (bofh_at_mvps.org)
Date: 05/26/03 

Date: Mon, 26 May 2003 20:49:08 +0100

Winnie Yip wrote:
> Yes. What I mean is the time allowed for user to log on
> the windows system.
>
> If the user has typed in the user name and password but
> he/she has not pressed the enter button, the system will
> reset the user current log-in attempt and ask the user to
> press the CLTR-ALT-DEL to logon again.
>
> As far as I know (please correct me if I was wrong), there
> is some delay between consecutive windows logon attempt.
> This is to make the hackers/intruder more difficult to
> attack it. This is the "minimum time between each logon"
> and what I want is exactly opposite. For some secure
> system, the maximum time allowed for a log-in attempt is
> implememted and in fact it is one of the requirement
> stated in the BS7799.
>
> I have tried to look at the GPO settings but nothing I can
> find ....:(
>
> Hopefully someone who haw the knowledge can answer my
> question as soon as possible. In fact I have tried to
> search the web for 2 days and get nothing.

Ok, now I understand exactly what you want, I think I can help. Sorry if my
earlier reply seemed a bit "picky" but if you've already been searching for
2 days I'm sure you'll appreciate my not wanting to waste your time going
down a blind alley!

As I understand it, you want to implement an enforced delay between login
attempts so that if I try to login once, incorrectly, I have to wait X
number of minutes before I can do so again. The sort of thing you might want
to do to make a directory attack on a password rather painful and
long-winded.

Assuming I'm right so far, have you looked at
{GPO or Local computer policy}
-->Computer Configuration
--->Windows Settings
---->Security Settings
----->Account Policies
------>Account Lockout Policy

There are 3 objects here: "Account Lockout Threshold", which controls the
amount of invalid login attempts allowed before the events controlled in the
other objects occur; next is "Account Lockout Duration" which controls how
long an account is locked out for; and finally we have "Reset account
lockout after" which controls the duration watched to arrive at the account
lockout threshold figure.

It seems to me that if you set the "account lockout threshold" to 1 invalid
login attempt(s), and the "account lockout duration" to 5 minutes (or of
course whatever value you desire), and "reset account lockout counter after"
to something like half an hour, you'll have have pretty much what you want? 

-- 
-- 
Rob Moir
Microsoft MVP for Windows / Security
www.robertmoir.co.uk
Quantcast