Re: limit the maximum time allowed for a log-in attempt

From: Winnie Yip (winnieyip_at_rocketmail.com)
Date: 05/27/03 

Date: Mon, 26 May 2003 18:55:22 -0700

Dear Rob,

This is not exactly what I want. Your solution is trying
to create a delay between each consecutive login attempt
so that the hacker find it hard to hack the system.

Let me try to illustrate the problem with a case: If the
user pressed CLTR_ALT_DEL at windows logon and typed in
his username and password field, he/she has not finished
the input and his/her mobile rang. The user answered the
phone call and left the workstation. If the "limit the
maximum time allowed for a log-in attempt" is implemented,
the system would bring up the "CLTR-ALT-DEL" screen again
after certain period of time and the user are required to
type the username and password again.

By the way, thanks very much for your help. :)

Regards,
Winnie
-----Original Message-----
>Winnie Yip wrote:
>> Yes. What I mean is the time allowed for user to log on
>> the windows system.
>>
>> If the user has typed in the user name and password but
>> he/she has not pressed the enter button, the system will
>> reset the user current log-in attempt and ask the user
to
>> press the CLTR-ALT-DEL to logon again.
>>
>> As far as I know (please correct me if I was wrong),
there
>> is some delay between consecutive windows logon attempt.
>> This is to make the hackers/intruder more difficult to
>> attack it. This is the "minimum time between each logon"
>> and what I want is exactly opposite. For some secure
>> system, the maximum time allowed for a log-in attempt is
>> implememted and in fact it is one of the requirement
>> stated in the BS7799.
>>
>> I have tried to look at the GPO settings but nothing I
can
>> find ....:(
>>
>> Hopefully someone who haw the knowledge can answer my
>> question as soon as possible. In fact I have tried to
>> search the web for 2 days and get nothing.
>
>Ok, now I understand exactly what you want, I think I can
help. Sorry if my
>earlier reply seemed a bit "picky" but if you've already
been searching for
>2 days I'm sure you'll appreciate my not wanting to waste
your time going
>down a blind alley!
>
>As I understand it, you want to implement an enforced
delay between login
>attempts so that if I try to login once, incorrectly, I
have to wait X
>number of minutes before I can do so again. The sort of
thing you might want
>to do to make a directory attack on a password rather
painful and
>long-winded.
>
>Assuming I'm right so far, have you looked at
>{GPO or Local computer policy}
>-->Computer Configuration
>--->Windows Settings
>---->Security Settings
>----->Account Policies
>------>Account Lockout Policy
>
>There are 3 objects here: "Account Lockout Threshold",
which controls the
>amount of invalid login attempts allowed before the
events controlled in the
>other objects occur; next is "Account Lockout Duration"
which controls how
>long an account is locked out for; and finally we
have "Reset account
>lockout after" which controls the duration watched to
arrive at the account
>lockout threshold figure.
>
>It seems to me that if you set the "account lockout
threshold" to 1 invalid
>login attempt(s), and the "account lockout duration" to 5
minutes (or of
>course whatever value you desire), and "reset account
lockout counter after"
>to something like half an hour, you'll have have pretty
much what you want?
>
>--
>--
>Rob Moir
>Microsoft MVP for Windows / Security
>www.robertmoir.co.uk
>
>
>.
>