This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Account Lockout
Account Lockout

Version management

Difference between version and

At line 1 added 39 lines
!!! Overview
Account lockout is often a component of most Directory Servers [Password Policy] or [Account Expiration] policies that may be used to lock user accounts after too many failed bind or login attempts.
Sometimes referred to as "[Intruder Detection]" methods.
Once an account has been locked, that user will not be allowed to authenticate.
The lockout may be temporary (automatically ending after a specified period of time) or permanent (remaining in effect until an administrator resets the user's password).
!! Pros and Cons of Account Lockout[1]
On the face of it, account lockout seems like a good thing to implement as it makes it difficult for attackers to launch [brute-Force] [attacks|Attacker] against passwords for user accounts.
For example, if Account lockout threshold = 5 then after five guesses of the user's password the user's account could be automatically locked out for Account lockout duration = 30 minutes. Then after 30 minutes elapses the [attacker] gets another 5 attempts at cracking the password, after which he is locked out again. Obviously it will take some time this way to crack a password.
On the other hand, if Account lockout threshold = 5 and the user hasn't had her coffee yet, she might easily mistype her password 5 times in a row and lock herself out. Then comes the proverbial call to Help Desk saying "I can't log on to my computer" and precious business resources are consumed, both in terms of the time spent resolving the problem and the loss of productivity for the user.
!But Wait There is more
What if the [attacker] doesn't care if he guesses the user's password?
Perhaps all he's interested in is preventing the user from logging on to the network. In this case the [attacker] can simply enter any random string for the user's password 5 times in a row and suddenly the user is unable to log on to her computer. Again an annoying call to Help Desk and lost productivity on the user's part. This demonstrates how an attacker can utilize account lockout to create a [Denial-of-Service] ([DoS]) condition.
While these examples seem somewhat contrived since they assume an attacker has physical access to the network, it turns out account lockout is much more than just typing wrong passwords into the Log On.
!![eDirectory Locked By Intruder|Locked By Intruder]
[eDirectory uses a method for locking accounts|Locked By Intruder]
!![Active Directory Account Lockout]
[Active Directory Account Lockout] method for locking accounts|Active Directory Account Lockout]
!! [OID and Intruder Detection]
Our experience is a little dated, but what we know on [OID and Intruder Detection]
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
[#1] Some information provided from: [http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop