Solved

Account lockout policy in Group Policy

Posted on 2013-06-11
12
465 Views
Last Modified: 2013-06-11
I'm trying to set account lockout because I think hackers trying to run brute-force password discovery against our mail server. If 10 attempts to login with wrong password fails, I like to lock out accounts.

However, Account Lockout Threshold Policy under Group Policy says it counts only attempt failure of logging by Ctrl+Alt+Delete or screen saver. Does it mean it will not count login failure against OWA or direct access to our mail server through telnet? If then, how to disconnect the hacker's password discovery if failuer only counts the two?
0
Comment
Question by:crcsupport
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 14

Accepted Solution

by:
Ben Hart earned 300 total points
ID: 39239088
Account Lockout options in GPO's affect all authentication attempts to a domain controller.
0
 
LVL 4

Assisted Solution

by:TechOps07
TechOps07 earned 100 total points
ID: 39239089
In GP management go to:
Computer Config>Policies>Windows Settings>Account Policies/Password Policy

Account Policies/Account Lockout Policy>Set to 10 but ideal is 3-5 attempts.

You will want to set this on the "Default Domain policy" so it is for all machines on the network.

At minimum set the lockout duration to 30 mins but 45 is ideal in my opinion.
0
 
LVL 8

Assisted Solution

by:Esteban Blanco
Esteban Blanco earned 50 total points
ID: 39239103
TechOps07 is right.  45 minutes would be ideal.  Most companies stick to 30 minutes so their helpdesk doesn't get bombarded but 45 minutes is better (the attacker will get bored and move on).

The account policy at 10 is too long.  5 at the most (agreeing with TechOps07)
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239113
Something I found:

Also, here is a risk justification I wrote on this setting when we were challenged by our auditors and why setting this below 10 or even 50 for that matter, doesn't really improve security:

==============================================

The risk imposed by a single digit variance of this setting is negligible because the intent of this setting is to provide mitigation for and prevent brute force attacks against accounts.Assuming this setting is at 7, brute forcing of the accounts is still not possible as the minimum password length and password complexity settings in place (assuming minimum password lenth of at least 8 with complexity enabled) results in the number of possible password permutations for each individual account of 218 Trillion permutations that would need to be attempted and would take approximately 7 years to brute force the password assuming a rate of 1 million passwords per second. As long as the setting is < 10, the account would be locked out long before a successful brute force attack could be successfully executed.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239116
I.e. 30 minutes is completely acceptable. But set it to whatever you and your organization want.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239123
Also there's quite a few people out there reporting that OWA over RPC registers as two bad passwd attempts.  So it's highly possible that setting the value to 4 will result is lockouts after 3 actual bad passwds.  Keep an eye on your logs for the first bit after setting it.

http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/aa3fc451-a2bd-4b76-a33d-b3901a23d4d2
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39239129
Why is this setting under Computer Configuration instead of User Configuration in GPO?
Does it mean that it locks out the account, not the computer? I'm worrying if this setting is under computer configuration, it may affect operation if the hacking is against server such as mail server?
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239166
Dude seriously.. that is the correct place.  Honestly IDK why it's listed under Computer but that's the correct place.

http://technet.microsoft.com/en-us/library/cc781491(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39239167
Also, can you take a look at relay setting of SMTP virtual server (attached). I want to correct any wrong configuration. outbound mail is set as anonymous. Is it OK? We have other servers in LAN send out emails to clients. The servers contact our mail server as smart host. This connection is anonymous, I guess because there's no id and password to put in in SMTP properties of the client server connecting to the mail server.
relay.jpg
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239177
Keep the relay permissions open, but yes IMO set only the IP's of machines that have a need to relay through Exchange/SMTP to help reduce the risk of clients becoming infected with spam bots.
0
 
LVL 4

Assisted Solution

by:TechOps07
TechOps07 earned 100 total points
ID: 39239335
What I suggested locks out the User's account and has NOTHING TO DO with the COMPUTER Accounts. Your mail server will function as normal.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 50 total points
ID: 39239487
The reason why it is under computer policy and not user policy is that the user has not logged in yet.  They are attempting to login so only hklm is loaded .. Once they have validated their credentials then the user policy takes effect.  Hope this clears things up.
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now