Re: Account lockouts

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 01/06/05


Date: Wed, 05 Jan 2005 18:32:45 -0800

Why don't you just disable account lockout? This feature is in the product
only to satisfy old-style auditing requirements and the military. Really,
though, it's more of a pain than anything else. Account lockout supposedly
protects you from password guessing or cracking attacks. In reality they
*create* opportunities for denial-of-service attacks, and this could be what
you're experiencing. Users accidentally DoS themselves out of accounts all
the time; attackers can easily DoS entire domains since user IDs are rarely
secrets.

If you enforce strong passwords with group policy or a passfilt.dll, then
you don't need account lockout at all. Someone did a study once that showed
the average cost for doing a password reset or account unlock is US $70.
There are better things to do with that money and time!

Steve Riley
steriley@microsoft.com

> Hi,
>
> Hopefully this is the correct group to post to. my problem is as
> follows:
>
> One user's account keeps getting locked out. Using w2000 auditing i
> have established from which computer it is that teh failed logon
> attempts are happening.
>
> Unfortunatly they are happening from a Terminal Server connection. I
> have not been able to find a way of auding which computer it is that
> is connecting to the terminal server and then creating 3 failed logon
> attepts.
>
> Is there anu way of audting computer connections to a server?
>
> We are in a AD w2000 domain with the latest sp's installed.
>