Re: Account lockouts

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 01/08/05

• Next message: Roger Abell: "Re: Stolen Computer"
• Previous message: Roger Abell: "Re: Stolen Computer"
• Maybe in reply to: Lemon: "Account lockouts"
• Next in thread: Vin McLellan: "Re: Account lockouts"
• Reply: Vin McLellan: "Re: Account lockouts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 07 Jan 2005 21:26:09 -0800

Sure would. Yet another supporting argument for abandoning account lockouts
completely. Machine names, like user names, should never be considered secrets.
They are identifiers, and identifiers are meant to, well, *identify*, just
like your real name, your fingerprint, your retina scan. It's your authenticator
-- your password, your private key, your SecurID token -- that should be
kept secret.

Steve Riley
steriley@microsoft.com

> I've become a firm believer in your take on this since I heard you
> speak about this back in November. The IUSR_* and IWAM_* accounts for
> IIS are not much of a secret if you ifnd out the machine
> name,...wouldn't it be fairly easy to cause those to lock out? That
> would take down IIS or at least cripple it wouldn't it?
>
> "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> news:37649632405467646783168@news.microsoft.com...
>
>> Why don't you just disable account lockout? This feature is in the
>> product only to satisfy old-style auditing requirements and the
>> military. Really, though, it's more of a pain than anything else.
>> Account lockout supposedly protects you from password guessing or
>> cracking attacks. In reality they *create* opportunities for
>> denial-of-service attacks, and this could be
>>
> what
>
>> you're experiencing. Users accidentally DoS themselves out of
>> accounts all the time; attackers can easily DoS entire domains since
>> user IDs are
>>
> rarely
>
>> secrets.
>>
>> If you enforce strong passwords with group policy or a passfilt.dll,
>> then you don't need account lockout at all. Someone did a study once
>> that
>>
> showed
>
>> the average cost for doing a password reset or account unlock is US
>> $70. There are better things to do with that money and time!
>>
>> Steve Riley
>> steriley@microsoft.com
>>> Hi,
>>>
>>> Hopefully this is the correct group to post to. my problem is as
>>> follows:
>>>
>>> One user's account keeps getting locked out. Using w2000 auditing i
>>> have established from which computer it is that teh failed logon
>>> attempts are happening.
>>>
>>> Unfortunatly they are happening from a Terminal Server connection. I
>>> have not been able to find a way of auding which computer it is that
>>> is connecting to the terminal server and then creating 3 failed
>>> logon attepts.
>>>
>>> Is there anu way of audting computer connections to a server?
>>>
>>> We are in a AD w2000 domain with the latest sp's installed.
>>>

---

• Next message: Roger Abell: "Re: Stolen Computer"
• Previous message: Roger Abell: "Re: Stolen Computer"
• Maybe in reply to: Lemon: "Account lockouts"
• Next in thread: Vin McLellan: "Re: Account lockouts"
• Reply: Vin McLellan: "Re: Account lockouts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)