Solved

Account lockout policy in Group Policy

Posted on 2013-06-11
12
499 Views
Last Modified: 2013-06-11
I'm trying to set account lockout because I think hackers trying to run brute-force password discovery against our mail server. If 10 attempts to login with wrong password fails, I like to lock out accounts.

However, Account Lockout Threshold Policy under Group Policy says it counts only attempt failure of logging by Ctrl+Alt+Delete or screen saver. Does it mean it will not count login failure against OWA or direct access to our mail server through telnet? If then, how to disconnect the hacker's password discovery if failuer only counts the two?
0
Comment
Question by:crcsupport
  • 6
  • 2
  • 2
  • +2
12 Comments
 
LVL 14

Accepted Solution

by:
Ben Hart earned 300 total points
ID: 39239088
Account Lockout options in GPO's affect all authentication attempts to a domain controller.
0
 
LVL 4

Assisted Solution

by:TechOps07
TechOps07 earned 100 total points
ID: 39239089
In GP management go to:
Computer Config>Policies>Windows Settings>Account Policies/Password Policy

Account Policies/Account Lockout Policy>Set to 10 but ideal is 3-5 attempts.

You will want to set this on the "Default Domain policy" so it is for all machines on the network.

At minimum set the lockout duration to 30 mins but 45 is ideal in my opinion.
0
 
LVL 8

Assisted Solution

by:Esteban Blanco
Esteban Blanco earned 50 total points
ID: 39239103
TechOps07 is right.  45 minutes would be ideal.  Most companies stick to 30 minutes so their helpdesk doesn't get bombarded but 45 minutes is better (the attacker will get bored and move on).

The account policy at 10 is too long.  5 at the most (agreeing with TechOps07)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239113
Something I found:

Also, here is a risk justification I wrote on this setting when we were challenged by our auditors and why setting this below 10 or even 50 for that matter, doesn't really improve security:

==============================================

The risk imposed by a single digit variance of this setting is negligible because the intent of this setting is to provide mitigation for and prevent brute force attacks against accounts.Assuming this setting is at 7, brute forcing of the accounts is still not possible as the minimum password length and password complexity settings in place (assuming minimum password lenth of at least 8 with complexity enabled) results in the number of possible password permutations for each individual account of 218 Trillion permutations that would need to be attempted and would take approximately 7 years to brute force the password assuming a rate of 1 million passwords per second. As long as the setting is < 10, the account would be locked out long before a successful brute force attack could be successfully executed.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239116
I.e. 30 minutes is completely acceptable. But set it to whatever you and your organization want.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239123
Also there's quite a few people out there reporting that OWA over RPC registers as two bad passwd attempts.  So it's highly possible that setting the value to 4 will result is lockouts after 3 actual bad passwds.  Keep an eye on your logs for the first bit after setting it.

http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/aa3fc451-a2bd-4b76-a33d-b3901a23d4d2
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39239129
Why is this setting under Computer Configuration instead of User Configuration in GPO?
Does it mean that it locks out the account, not the computer? I'm worrying if this setting is under computer configuration, it may affect operation if the hacking is against server such as mail server?
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239166
Dude seriously.. that is the correct place.  Honestly IDK why it's listed under Computer but that's the correct place.

http://technet.microsoft.com/en-us/library/cc781491(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39239167
Also, can you take a look at relay setting of SMTP virtual server (attached). I want to correct any wrong configuration. outbound mail is set as anonymous. Is it OK? We have other servers in LAN send out emails to clients. The servers contact our mail server as smart host. This connection is anonymous, I guess because there's no id and password to put in in SMTP properties of the client server connecting to the mail server.
relay.jpg
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 300 total points
ID: 39239177
Keep the relay permissions open, but yes IMO set only the IP's of machines that have a need to relay through Exchange/SMTP to help reduce the risk of clients becoming infected with spam bots.
0
 
LVL 4

Assisted Solution

by:TechOps07
TechOps07 earned 100 total points
ID: 39239335
What I suggested locks out the User's account and has NOTHING TO DO with the COMPUTER Accounts. Your mail server will function as normal.
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 50 total points
ID: 39239487
The reason why it is under computer policy and not user policy is that the user has not logged in yet.  They are attempting to login so only hklm is loaded .. Once they have validated their credentials then the user policy takes effect.  Hope this clears things up.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question