How to protect the Besadmin account from a brute force password attack

Posted on 2011-04-19
Last Modified: 2012-06-22
We have been having an issue where the besadmin account is getting locked out because of outside attempts to use this account to get into some servers.  What are best policies to protect this account?

Question by:dross333
    LVL 11

    Expert Comment

    by:Sudhakar Kumar
    Well most of the times it is due to weak passwords. I always use 14-16 letter Strong Passwords.

    A strong password guidelines:
    •Atleast fourteen characters long, due to the way in which encryption works.
    •Contain both uppercase and lowercase letters.
    •Contain numbers.
    •Contain symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ? /
    •Contain a symbol in the second, third, fourth, fifth or sixth position (due to the way in which encryption works).
    •Not resemble any of your previous passwords.
    •Not be your name, your friend's or family member's name, or your login.
    •Not be a dictionary word or common name.

    Some Examples-


    The Other thing is Never Share the passwords and you have to have it remembered. :-)
    LVL 11

    Expert Comment

    by:Sudhakar Kumar
    Apart from strong password please consider good practices of crosscheck service account permissions for a BlackBerry Enterprise Server
    LVL 14

    Accepted Solution

    As well as all of the above, also consider changing the login name of the BES Administrator account. BESadmin is quite common - BBAdmin is less so, for example.

    Check all of the services on the BES that are authenticated using the BES Admin account and ensure that their logon credentials are up to date. If the password is wrong in one of them, it will look like a brute force attack as it attempts to restart the service and constantly gets the password wrong.

    Author Comment

    Thanks for the responses.  But even if I have a strong password, after multiple wrong attempts, the account gets locked out. Do I assign a policy of some sort so that it never gets locked out.  My concern is if I do this, then it just gives an attacker more attempts of trying to hack the password as the account will never get locked out after a # of incorrect password attempts.

    LVL 14

    Expert Comment

    by:Mike Sullivan
    Change the login name for the account. An attacker can't compromise the account if they don't know the login name.

    Author Closing Comment

    Thank You

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Use email signature images to promote corporate certifications and industry awards.
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now