Solved

Account lockout policy in Group Policy

Posted on 2013-06-11
12
506 Views
Last Modified: 2013-06-11
I'm trying to set account lockout because I think hackers trying to run brute-force password discovery against our mail server. If 10 attempts to login with wrong password fails, I like to lock out accounts.

However, Account Lockout Threshold Policy under Group Policy says it counts only attempt failure of logging by Ctrl+Alt+Delete or screen saver. Does it mean it will not count login failure against OWA or direct access to our mail server through telnet? If then, how to disconnect the hacker's password discovery if failuer only counts the two?
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 14

Accepted Solution

by:
Ben Hart earned 300 total points
ID: 39239088
Account Lockout options in GPO's affect all authentication attempts to a domain controller.
0
 
LVL 4

Assisted Solution

by:TechOps07
TechOps07 earned 100 total points
ID: 39239089
In GP management go to:
Computer Config>Policies>Windows Settings>Account Policies/Password Policy

Account Policies/Account Lockout Policy>Set to 10 but ideal is 3-5 attempts.

You will want to set this on the "Default Domain policy" so it is for all machines on the network.

At minimum set the lockout duration to 30 mins but 45 is ideal in my opinion.
0
 
LVL 8

Assisted Solution

by:Esteban Blanco
Esteban Blanco earned 50 total points
ID: 39239103
TechOps07 is right.  45 minutes would be ideal.  Most companies stick to 30 minutes so their helpdesk doesn't get bombarded but 45 minutes is better (the attacker will get bored and move on).

The account policy at 10 is too long.  5 at the most (agreeing with TechOps07)
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239113
Something I found:

Also, here is a risk justification I wrote on this setting when we were challenged by our auditors and why setting this below 10 or even 50 for that matter, doesn't really improve security:

==============================================

The risk imposed by a single digit variance of this setting is negligible because the intent of this setting is to provide mitigation for and prevent brute force attacks against accounts.Assuming this setting is at 7, brute forcing of the accounts is still not possible as the minimum password length and password complexity settings in place (assuming minimum password lenth of at least 8 with complexity enabled) results in the number of possible password permutations for each individual account of 218 Trillion permutations that would need to be attempted and would take approximately 7 years to brute force the password assuming a rate of 1 million passwords per second. As long as the setting is < 10, the account would be locked out long before a successful brute force attack could be successfully executed.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239116
I.e. 30 minutes is completely acceptable. But set it to whatever you and your organization want.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239123
Also there's quite a few people out there reporting that OWA over RPC registers as two bad passwd attempts.  So it's highly possible that setting the value to 4 will result is lockouts after 3 actual bad passwds.  Keep an eye on your logs for the first bit after setting it.

http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/aa3fc451-a2bd-4b76-a33d-b3901a23d4d2
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39239129
Why is this setting under Computer Configuration instead of User Configuration in GPO?
Does it mean that it locks out the account, not the computer? I'm worrying if this setting is under computer configuration, it may affect operation if the hacking is against server such as mail server?
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239166
Dude seriously.. that is the correct place.  Honestly IDK why it's listed under Computer but that's the correct place.

http://technet.microsoft.com/en-us/library/cc781491(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39239167
Also, can you take a look at relay setting of SMTP virtual server (attached). I want to correct any wrong configuration. outbound mail is set as anonymous. Is it OK? We have other servers in LAN send out emails to clients. The servers contact our mail server as smart host. This connection is anonymous, I guess because there's no id and password to put in in SMTP properties of the client server connecting to the mail server.
relay.jpg
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239177
Keep the relay permissions open, but yes IMO set only the IP's of machines that have a need to relay through Exchange/SMTP to help reduce the risk of clients becoming infected with spam bots.
0
 
LVL 4

Assisted Solution

by:TechOps07
TechOps07 earned 100 total points
ID: 39239335
What I suggested locks out the User's account and has NOTHING TO DO with the COMPUTER Accounts. Your mail server will function as normal.
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 50 total points
ID: 39239487
The reason why it is under computer policy and not user policy is that the user has not logged in yet.  They are attempting to login so only hklm is loaded .. Once they have validated their credentials then the user policy takes effect.  Hope this clears things up.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question