Re: Logon Type Identification
From: Byron Hynes [MS] (nospam_at_byronetta.com)
Date: 09/29/05
- Next message: Steven L Umbach: "Re: How can this be done"
- Previous message: Steven L Umbach: "Re: Permissions needed to install applications on a domain controller"
- In reply to: Cindy: "Re: Logon Type Identification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Sep 2005 10:02:43 -0700
Using an account lockout policy means trading one risk for another. You are
reducing the risk of a brute-force password attack, but establishing a system
where an attacker can lock everyone in your domain out of their computers
in a matter of minutes (in a Denial of Service attack). Even if that doesn't
happen, it generally tends to increase cost-of-ownership (help desk calls,
resets, etc.) and reduce productivity (during the time the user cannot access
his or her computer).
You may wish to consider addressing the root risk: requiring strong passwords,
and/or moving to two-factor authentication.
Byron Hynes
Windows Server
Microsoft Corporation
http://spaces.msn.com/members/byronphynes
> These were failure logons 5 in a row, could have locked out user if
> connected to network. That is why I was referring to password not
> being changed. Sorry for the confusion.
>
> Thanks, Cindy
>
- Next message: Steven L Umbach: "Re: How can this be done"
- Previous message: Steven L Umbach: "Re: Permissions needed to install applications on a domain controller"
- In reply to: Cindy: "Re: Logon Type Identification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
