Re: Alerting on Failed Audits

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/26/05

  • Next message: Joe Richards [MVP]: "Re: How can i create a new service" 
    Date: Tue, 25 Jan 2005 19:02:22 -0600

    It is in the Windows 2003 Server Security guide and other references
    including the excellent white paper below in the link below. I have also
    included some content from the Threats and Countermeasures guide as it
    discusses the "dual edged sword" of using account lockout policy with the
    potential for it to be use as a DOS attack against a domain. Note that it
    implies 50 as a good account lockout threshold if strong passwords are
    enforced. --- Steve

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

    . Set Account Lockout Threshold to 0. This ensures that accounts will not be

    locked out. This setting will prevent a DoS attack that intentionally locks
    out all, or

    some specific, accounts. In addition, this setting helps reduce help desk
    calls

    because users can not accidentally lock themselves out of their accounts.

    Because it will not prevent a brute force attack, this setting should only
    be chosen

    if both of the following criteria are explicitly met:

    . The password policy forces all users to have complex passwords made up of
    8

    or more characters.

    . A robust auditing mechanism is in place to alert administrators when a
    series

    of failed logons are occurring in the environment.

    . If these criteria can not be met, set Account Lockout Threshold to a high
    enough

    value to provide users the ability to accidentally mistype their password
    several

    times without locking their account, but ensure that a brute force password
    attack

    would still lock out the account. In this case, setting the value to a
    number such as

    50 invalid logon attempts is a good recommendation. This setting will
    prevent

    accidental account lockouts, reducing the number of help desk calls, but
    will not

    prevent a DoS attack as mentioned above.

    "mherchel" <n/a> wrote in message
    news:O9V7R7wAFHA.3336@TK2MSFTNGP11.phx.gbl...
    > "MS recommends no less than ten bad attempts assuming you are also
    > enforcing complex passwords"
    >
    > Steve... just out of curiosity, where did you get this info from?
    >
    > Thanks,
    > Mike
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:uTFIOanAFHA.2572@TK2MSFTNGP10.phx.gbl...
    >> You can use Event Comb to scan your dc security logs for failed account
    >> logons. It is free from Microsoft. For alerts you need other alternatives
    >> such as GFI from Languard. Account lockouts can be caused by many things
    >> other than hacking and if your firewall is configured properly and you
    >> have proper malware protection and host hardening then it would be a rare
    >> occurrence from outside the network and fairly easy to trackdown within
    >> the network. Networks that implement account lockout policy often have
    >> the threshold to low and MS recommends no less than ten bad attempts
    >> assuming you are also enforcing complex passwords. I would also enable
    >> auditing of account management for Domain Controller Security policy and
    >> Domain Security Policy if you need to track down account lockouts as more
    >> useful events will then be recorded on domain controllers and the
    >> computer where the lockout occurred. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
    >> Comb
    >> http://www.gfi.com/nsm/
    >>
    >> "Ferdie" <ferdie@insane.com> wrote in message
    >> news:uRSKrlmAFHA.1396@tk2msftngp13.phx.gbl...
    >>>I would like to get alerts or reports whenever my DC's get a Failure
    >>>Audit. My goal is to identify when and why user accounts get locked out,
    >>>and if there is a hack attempt.
    >>>
    >>> Is there a way to gather the logs on my DC's and reports on the
    >>> failures? I'm just looking for the easiest way for now, since we will be
    >>> implementing an environmental monitoring service later.
    >>>
    >>> Thanks,
    >>> Ferdie
    >>>
    >>
    >>
    >
    >

  • Next message: Joe Richards [MVP]: "Re: How can i create a new service"

    Relevant Pages

    • Re: Account lockouts
      ... if it increases security and reduces cost. ... > in their recommendations on account lockout policy than the NSA ... and (where mere passwords are acceptable) all ... >> cracking attacks. ...
      (microsoft.public.security)
    • Re: Account Lockout
      ... Password Policy and Account Lockout Policy are both ... Windows Server 2003/2000/NT; CCA ... I have set the account lockout to happen after 3 bad passwords but this is ...
      (microsoft.public.windows.server.general)
    • Re: Account LOCKOUTS
      ... the alockout.dll that can be used on a problem computer that will create a ... > to change there passwords. ... > are no experinecing problem with there account lockout ...
      (microsoft.public.win2000.security)
    • Re: Tracking down the IP address of attempted hackers
      ... It's only a matter of time if... ... You don't have account lockout ... You don't use passphrases instead of passwords ... And you change them on a somewhat regular basis ...
      (microsoft.public.backoffice.smallbiz2000)
    • RE: Account Lockout -- ARGH
      ... Most were the Terminal Service Connection that Art spoke of. ... Subject: Account Lockout -- ARGH ... All security events are logged. ... Your network firewall and IDS products do not prevent Web application ...
      (Focus-Microsoft)