Educause Security Discussion mailing list archives

Re: Account Lockout Policies

From: Eric Brewer <ebrewer () EMAIL SMITH EDU>
Date: Tue, 11 Jul 2006 14:59:21 -0400

We use 3 attempts before lockout, but the duration is short.  The point
is to stop automated attempts and random guessing so I don't see much
point in locking "forever".

On the larger question, while external auditors can be a pain to deal
with, we've found that a reasoned approach usually works.  Provide them
with a "business case" for what you do and, most importantly, a WRITTEN
POLICY supporting your approach since that's they are generally auditing
against.  In other words, an audit says that you are, in fact, following
your policies.



-- Eric
=========
Eric Brewer
Computing & Tech Serv. Mgr.
Clark Science Center
Smith College
Northampton, MA 01063

Saburo Usami <UsamiS () SACREDHEART EDU> 7/11/2006 2:40 PM >>>

Sacred Heart University is configuring its Windows 2003 systems to
conform with Best Practices as recommended by an external auditor.  In
addition to complexity requirements, their Best Practices
recommendations include password policies set as follows:

- Account Lockout Threshold: 3 Attempts
- Account Lockout Duration: Administrator Unlocks

We have two separate problems with this recommendation.

1. From an administrative standpoint, we feel that these settings may
actually encourage users (e.g., disgruntled students just prior to
mid-terms/finals) to cause trouble for others on the network by
deliberately shutting their fellow students or instructors out of the
network -- or running scripts to do the same -- and "security by
obscurity" seems like a losing bet in the academic network space.

2. From a technical standpoint, Windows 2003 does not allow a
"perpetual" lockout stance.  99,999 is the maximum number of minutes
an
account can be locked out
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolo

gies/security/bpactlck.mspx> .  This translates to about 69.44 days,
which is less than a semester and less than a summer break.  Hence, we
can't truly comply with the recommended lockout duration.

We would like to conform to the recommendations our auditors have
made,
but are having difficulty with this one.  Any suggestions or insights
on
your experiences with Account Lockouts and/or utilities that manage
this
would be greatly appreciated.

Saburo Usami
Director of Networking - Telecomm - IT Security
Sacred Heart University

Current thread:

Account Lockout Policies Saburo Usami (Jul 11)
- <Possible follow-ups>
- Re: Account Lockout Policies Eric Brewer (Jul 11)
- Re: Account Lockout Policies Graham Toal (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Cheek, Leigh (Jul 11)
- Re: Account Lockout Policies Randy Marchany (Jul 11)
- Re: Account Lockout Policies Gary Flynn (Jul 11)
- Re: Account Lockout Policies Gary Dobbins (Jul 11)
- Re: Account Lockout Policies Valdis Kletnieks (Jul 11)
- Re: Account Lockout Policies Russell Fulton (Jul 12)
- Re: Account Lockout Policies jack suess (Jul 12)

(Thread continues...)