Account Lockout


Account lockout is often a component of most Directory Servers Password Policy or Account Expiration policies that may be used to lock user accounts after too many failed bind or login attempts.

Sometimes referred to as "Intruder Detection" methods.

Once an account has been locked, that user will not be allowed to authenticate.

The lockout may be temporary (automatically ending after a specified period of time) or permanent (remaining in effect until an administrator resets the user's password).

Pros and Cons of Account Lockout[1]#

On the face of it, account lockout seems like a good thing to implement as it makes it difficult for attackers to launch brute-Force attacks against passwords for user accounts.

For example, if Account lockout threshold = 5 then after five guesses of the user's password the user's account could be automatically locked out for Account lockout duration = 30 minutes. Then after 30 minutes elapses the attacker gets another 5 attempts at cracking the password, after which he is locked out again. Obviously it will take some time this way to crack a password.

On the other hand, if Account lockout threshold = 5 and the user hasn't had her coffee yet, she might easily mistype her password 5 times in a row and lock herself out. Then comes the proverbial call to Help Desk saying "I can't log on to my computer" and precious business resources are consumed, both in terms of the time spent resolving the problem and the loss of productivity for the user.

But Wait There is more#

What if the attacker doesn't care if he guesses the user's password?

Perhaps all he's interested in is preventing the user from logging on to the network. In this case the attacker can simply enter any random string for the user's password 5 times in a row and suddenly the user is unable to log on to her computer. Again an annoying call to Help Desk and lost productivity on the user's part. This demonstrates how an attacker can utilize account lockout to create a Denial-of-Service (DoS) condition.

While these examples seem somewhat contrived since they assume an attacker has physical access to the network, it turns out account lockout is much more than just typing wrong passwords into the Log On.

eDirectory Locked By Intruder#

eDirectory uses a method for locking accounts

Active Directory Account Lockout#

Active Directory Account Lockout method for locking accounts|Active Directory Account Lockout]

OID and Intruder Detection#

Our experience is a little dated, but what we know on OID and Intruder Detection

More Information#

There might be more information for this subject on one of the following:
[#1] Some information provided from: http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html