Continuous Lock Out User Account Hack

Account Lockout

Authenticating and Authorizing Users

In Hacking the Code, 2004

Locking Accounts

The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. But account lockout is not the best solution, because someone could easily abuse it and lock out hundreds of user accounts. In fact, some Web sites are attacked so much that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.

The problems with account lockouts are:

▪

An attacker can cause a denial of service (DoS) by locking out large numbers of accounts.

▪

Because you cannot lock out an account that doesn't exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on realized error responses.

▪

An attacker can cause a diversion by locking out many accounts and flooding the help desk with support calls.

▪

An attacker can continuously lock out the same account, even seconds after it is unlocked by an administrator, effectively disabling the account.

▪

Account lockout is ineffective against slow attacks that try only a few passwords every hour.

▪

Account lockout is ineffective against attacks that try one password against a large list of usernames.

▪

Account lockout is ineffective if the attacker is using a username/password combo list and guesses correctly on the first couple of attempts.

▪

Powerful accounts such as administrator accounts often bypass lockout policy, but these are the most desirable accounts to attack. Some systems lock out administrator accounts only on network-based logins.

▪

Even once an account is locked out, the attack may continue, consuming valuable human and computational resources.

Account lockout is sometimes effective, but only in controlled environments or in cases where the risk is so great that even continuous DoS attacks are preferable to account compromise. In most cases, however, account lockout is not the best option for stopping brute-force attacks. Consider, for example, an auction site on which several bidders are fighting over the same item. If the auction Web site enforced account lockouts, one bidder could simply lock the others' accounts in the last minute of the auction, preventing them from submitting any winning bids. The same technique could be used to block critical financial transactions or e-mail communications.

WARNING

When I talk to administrators and developers about the problems with account lockouts, their first response is to suggest increasing the number of failed attempts before locking the account. This solution does prevent someone from accidentally locking out an account, but even if you allow 20 attempts, it is simple for an attacker to lock out an account. Another suggestion I hear is to decrease the lockout time to just a few minutes. In fact, Microsoft's Passport uses this strategy. Although this solution does limit brute-force attacks, it doesn't completely prevent DoS attacks, because an attacker can simply lock your account again after the few minutes pass. Ultimately, you have to decide yourself what works best for your Web site.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781932266658500357

TNS Listener Security

Josh Shaul , Aaron Ingram , in Practical Oracle Security, 2007

Listener Vulnerabilities "By Design"

☑

There is no account lockout feature for the Oracle Listener. This means that an attacker can connect to the Listener and guess passwords forever without the Listener taking steps to protect itself. Brute-force password guessing against an Oracle Listener is a viable attack.

☑

When authenticating across the network, Oracle sends the Listener password in cleartext, providing an attacker that is monitoring network communications with the Listener password. With password in hand, an attacker can reconfigure the Listener to block access to the database or worse to take control of the database server.

☑

When authenticating to the Listener (versions prior to 10   g only), it will accept either the correct Listener password or the Listener password hash. This means that the Listener password hash stored in listener.ora needs to be protected as if it were a cleartext password. Users that are not allowed to administer the Listener must be prevented from having any access (including read-only) to the listener.ora file.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491983500056

Passwords and Password Controls

Josh Shaul , Aaron Ingram , in Practical Oracle Security, 2007

Password Controls Using Oracle Profiles

☑

Enable Oracle's account lockout feature by configuring the FAILED_LOGIN_ATTEMPTS parameter in every profile in the database. This feature stops password guessing attacks by locking the account after a set number of failed logon attempts.

☑

Use the PASSWORD_LIFE_TIME profile feature to automatically expire users passwords, forcing them to choose a new password. The new password must meet all the criteria enforced by Oracle's password controls.

☑

Use the PASSWORD_VERIFY_FUNCTION to check the strength of new passwords. Oracle provides a default function that can be used or easily modified to provide additional protections. There are even better sample functions available on the internet.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491983500093

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Frequently Asked Questions

Q

Q: I created a GPO with specific password and account lockout settings and applied it to an OU in my Active Directory domain. Why weren't the settings applied?

A

A:A GPO with password and account lockout settings is applied only when linked at the domain level of Active Directory.

Q

Q:My security administrator is concerned about brute force password attacks. Are there any Windows Server 2008 features which can help to manage those risks?

A

A:Account lockout can be used to minimize risks from brute force password attacks by setting an appropriate combination of values for the Account lockout duration, Account lockout threshold, and Reset account lockout counter after options.

Q

Q:I'm concerned about users going for too long without changing their passwords, or using passwords that are really simple and easy to guess. What can I do about this in Windows Server 2008?

A

A:Windows Server 2008 group policy allows you to specify a range of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be when initially specified or changed.

Q

Q:How can I apply a different set of password and account lockout policy to administrators?

A

A:In Windows Server 2008, a new feature called fine-grain password and account lockout policy can be used to apply custom password and account lockout policy settings to individual users and global security groups within a domain.

Q

Q:What can I monitor using auditing in Windows Server 2008?

A

A:Auditing can be used to track successful and failed resource access, usage, and change, including logon events, directory service objects, file system objects, Registry objects, printers, exercise of user privileges and rights, system events, account management changes, and much more.

Q

Q:It seems like auditing file system and directory service objects would produce too many log entries to sort through. Is there a way to limit this?

A

A:In addition to enabling auditing of these types of objects, you can also specify exactly what you want to track on an object-by-object basis. This includes both who changed an object and what was specifically changed.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492805000031

Strong Access Controls

Dr. Anton A. Chuvakin , Branden R. Williams , in PCI Compliance (Second Edition), 2010

Configuring Account Lockout in Active Directory

Although you're configuring the password policy settings, it's a good idea to also configure the Account Lockout Policy. To do this, expand Account Lockout Policy. Double-click on Account lockout threshold. In the Account lockout threshold Properties dialog box, change number of invalid login attempts to 6. A dialog box will pop up and ask if it should also change the Account lockout duration and Reset account lockout counter after attributes as well. These should both be changed to 30 min to comply with PCI requirements, which is what the default is in this new dialog. Click OK. It should now look like Fig. 5.2.

Figure 5.2. PCI Compliant Windows 2003 Account Lockout Policy

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494991000106

MCSE 70-293: Planning, Implementing, and Maintaining a Security Framework

Martin Grasdal , ... Dr. Thomas W. Shinder Technical Editor , in MCSE (Exam 70-293) Study Guide, 2003

Account Lockout Policies

Account lockout policies are used by administrators to lock out an account when someone tries to log on unsuccessfully several times in a row. We can usually assume that a legitimate user might type his or her password incorrectly once or twice, but not numerous times. Thus, numerous failed logons can indicate that someone is trying a brute-force password attack (trying to keep guessing the password until he or she gets it right). There are three options:

■

Account lockout duration You can specify the time in minutes that the account can be locked out. For example, if the account locks out for two hours, the user can try again after that time. The default is no lockout. When you define the policy, the default time is 30 minutes. The setting can be from 0 to 99,999. When set to 0, the account will remain locked out until an administrator manually unlocks it.

■

Account lockout threshold This specifies the number of failed attempts at logon a user is allowed before the account is locked out (for example, three). After the threshold has been reached, the account will be locked out. If this value is set to 0, the account will not lock out. This setting can be from 0 to 999.

■

Reset account lockout counter after You can choose to have the account lockout counter reset after a number of minutes. At that time, the count will start over at one.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781931836937500154

Organizational and Operational Security

Derrick Rountree , in Security for Microsoft Windows System Administrators, 2011

Group Policy Management Editor

The local security policy application will also help you to implement portions of your company's user security policy. You can configure user account settings and password policy settings. But if you want to configure these options for your domain, you will have to use the Group Policy Management Editor, as shown in Figure 5.4.

Figure 5.4. Group Policy Management Editor.

Password Policy: The Password Policy section, as shown in Figure 5.5, allows you to configure how passwords will be handled and restrictions around how passwords are set. This allows you to force users to create stronger passwords. This helps protect again password guessing attempts. The settings available here are as follows:

Enforce password history This option allows you to control how often passwords can be reused. On Windows Server 2008 R2 domain controllers, the default is 24 passwords.

Maximum password age This option specifies how long a user can go between password changes. The default on domain controllers is 42 days.

Minimum password age This option specifies how long a user must have a password before it can be changed. The default on domain controllers is 1 day.

Minimum password length This option specifies how long a user's password must be. The default on domain controllers is seven characters.

Password must meet complexity requirements This option sets requirements for what characters must be used in a password.

Store passwords using reversible encryption This option controls how passwords will be stored. Some applications need to be able to access passwords. This option will help allow this.

Figure 5.5. Group Policy Management Editor – Password Policy.

Account Lockout Policy: The Account Lockout section, as shown in Figure 5.6, allows you to configure account lockout settings. Account lockout allows you to lock an account after repeated failed login attempts. This helps protect against brute force password-cracking attempts. The settings available here are as follows:

•

Account lockout duration This option controls how long an account will be locked out. By default, this option is disabled because account lockout is disabled.

•

Account lockout threshold This option controls how many bad login attempts will cause an account to be locked. By default this option is disabled.

•

Reset account lockout counter after This option controls how long the system will wait after the last unsuccessful attempt before it resets the lockout counter. By default, this option is disabled because account lockout is disabled.

Figure 5.6. Group Policy Management Editor – Account Lockout.

Kerberos Policy (only available on domain controllers): The Kerberos Policy section, as shown in Figure 5.7, allows you to configure how Kerberos will be handled in your domain. Kerberos is the default authentication method used in Windows 2008 R2 domains. The settings available here are as follows:

•

Enforce user logon restrictions This option controls whether every session ticket request is checked against the user rights policy. This option is more secure, but it does take up extra network bandwidth. It is enabled by default.

•

Maximum lifetime for service ticket This option controls how long service tickets will be valid. The default is 600 min.

•

Maximum lifetime for user ticket This option controls how long user tickets will be valid. The default is 10 h.

•

Maximum lifetime for user ticket renewal This option controls the timeframe for which a Ticket-Granting Ticket can be renewed. The default is seven days.

•

Maximum tolerance for computer clock synchronization This option specifies the maximum difference in time that can exist between the client and the domain controller. This is to help prevent replay attacks. The default is five min.

Figure 5.7. Group Policy Management Editor – Kerberos Policy.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495943000053

MCSE/MCSA 70–294: Creating User and Group Strategies

Michael Cross , ... Thomas W. Shinder Dr. Technical Editor , in MCSE (Exam 70-294) Study Guide, 2003

1.

From the Windows Server 2003 desktop, click Start | Administrative Tools | Active Directory Users and Computers.

2.

Right-click the domain you want to administer, and then select Properties.

3.

Select the Default Domain Policy, and dick the Edit button.

4.

Navigate to the account lockout policy by clicking Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy. You'll see the screen shown in Figure 3.7.

Figure 3.7. Account Lockout Policy Objects

Using Account Lockout Policy, you can configure the following settings:

■

Account lockout duration This option determines the amount of time that a locked-out account will remain inaccessible. Setting this option to 0 means that the account will remain locked out until an administrator manually unlocks it. Select a lockout duration that will deter intruders without crippling your authorized users; 30 to 60 minutes is sufficient for most environments.

■

Account lockout threshold This option determines the number of invalid logon attempts that can occur before an account will be locked out. Setting this option to 0 means that accounts on your network will never be locked out.

■

Reset account lockout counter after This option defines the amount of time in minutes after a bad logon attempt that the "counter" will reset. If this value is set to 45 minutes, and user jsmith types his password incorrectly two times before logging on successfully, his running tally of failed logon attempts will reset to 0 after 45 minutes have elapsed. Be careful not to set this option too high, or your users could lock themselves out through simple typographical errors.

5.

For each item that you want to configure, right-click the item and select Properties. To illustrate, we create an Account lockout threshold of three invalid logon attempts. In the screen shown in Figure 3.8, place a check mark next to Define this policy setting, and then enter the appropriate value.

Figure 3.8. Configuring the Account Lockout Threshold

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978193183694450009X

Feature focus

Dustin Hannifin , ... Joey Alpern , in Microsoft Windows Server 2008 R2, 2010

Account security policies

User account security policies help ensure that user accounts are protected and properly secured. Using account security policies, you can set the following account policies for AD accounts:

▪

Password Policy

▪

Account Lockout Policy

▪

Kerberos Policy

The password policy allows you to configure requirements for user passwords. The password policy options are defined in Table 4.2.

Table 4.2. Active Directory Domain Password Policy

Policy	Description	Default Setting
Enforce password history	By enabling this policy, users cannot use any of the previously remembered passwords. For example, using the default setting of 24, the user cannot use any of the previous 24 passwords when setting a new password	24 Passwords remembered
Maximum password age	By enabling this setting, passwords expire every x number of days. The number of days configured here define how often the users will be forced to change their passwords	42 days
Minimum password age	By enabling this setting, passwords require to remain the same for x number of days. For example, the default setting of 1 day requires that a user keep the same password for at least 1 day	1 day
Minimum password length	By enabling this setting, users must include at least x number of characters in their passwords. The longer the password the more secure it is. However, the longer the password the harder it is to remember. You should find a happy medium for your network. Most security best practices recommend at least 8 characters, though some organizations are asking users to begin using passphrases opposed to passwords. This can increase the character count dramatically, thus increasing account security	Seven characters
Password must meet complexity requirements	By enabling this setting, users must create passwords that are considered complex. Complex passwords require that the password use characters from three of the following four sets of characters: ▪ Upper Case ▪ Lower Case ▪ Number ▪ Special Characters such as #, @, ! Complex passwords cannot contain part or all of the user's full name or username	Enabled
Store passwords using reversible encryption	This setting essentially stores passwords in a plain text format. This is to provide backwards compatibility with some legacy applications but is not recommended.	Disabled

Notes from the field

Multiple password policies

Windows Server 2008 R1 first introduced the ability to have multiple password policies in a single domain. This allows you to set up different password requirements assigned to different groups of users. For example, you can have a more strict password policy assigned to administrative-level accounts.

In addition to the password policy, you can set an account lockout policy. The account lockout policy "locks" the user's account after a defined number of failed password attempts. The account lockout prevents the user from logging onto the network for a period of time even if the correct password is entered. You should set an account lockout policy to help thwart off those who may attempt to compromise user accounts by brute force methods of guessing username and password combinations. The account lockout policy contains the following settings:

▪

Account lockout duration—This is the amount of time the account will remain locked out. This is commonly set to 20 or 30   min. An administrator can manually unlock the account at any time after it has been locked.

▪

Account lockout threshold—This is the number of invalid log-on attempts allowed before the account is locked out. After the defined threshold is reached, the account then becomes locked until the account lockout duration passes or an administrator manually unlocks the account.

▪

Reset account lockout counter after—This setting defines the number of minutes that must pass before the lockout counter will set itself to zero after an invalid log-on attempt has been detected.

The third account policy is the Kerberos Policy. This policy allows you to define Kerberos authentication settings. Kerberos authentication is discussed in Chapter 11. The Kerberos policy has the following definable settings:

▪

Enforce user logon restrictions—By enabling this setting, the Kerberos Key Distribution Center (KDC) will validate each ticket request against the user account rights policy.

▪

Maximum lifetime for a service ticket—This setting defines how long a service ticket is valid. After the ticket expires, the user account will be rejected by the resource and will have to request a new ticket from the KDC.

▪

Maximum lifetime for a user ticket—This setting defines the maximum age in minutes that the user ticket or ticket granting ticket (TGT) is valid.

▪

Maximum lifetime for user ticket renewal—This setting defines the number of days that a TGT can be renewed for continued use.

▪

Maximum tolerance for computer clock synchronization—Kerberos is time-sensitive protocol. This is a security feature to ensure that expired tickets cannot be used because of computer clocks being set incorrectly. This setting allows you to set the maximum amount of time difference Kerberos will allow between the domain and computers joined to the domain.

The account policies are set using the Group Policy Management console located in Server Manager. To manage the account policies, you need to edit the default domain group policy. Perform the following tasks to modify account policies:

1.

Open Server Manager.

2.

Expand the nodes Features | Group Policy Management | Forest: <your forest name> | Domains | <your domain name>.

3.

Right-click the Default Domain Policy and choose the Edit option.

4.

Expand the nodes Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies.

5.

Select the policy you want to modify. After making changes, close the Group Policy Management Editor. Changes will be automatically saved.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495783000049

MCSA/MCSE 70-294: Working with Group Policy in an Active Directory Environment

Michael Cross , ... Thomas W. Shinder Dr. Technical Editor , in MCSE (Exam 70-294) Study Guide, 2003

Implementing Group Policy

8.

You just took over as network administrator for a company. Your network consists of a single domain. The previous administrator had set up a group policy for the domain that allowed six unsuccessful logon attempts before an account would be locked out. A series of new computers has been purchased and deployed in the environment, and the local policy on these systems is set to allow three unsuccessful logon attempts before locking an account. You decide that you want to enforce account lockout to occur after three unsuccessful logon attempts across the company. How would you achieve this?

A.

Set the local policy on each PC to lock out accounts after three attempts, and set No Override on the local policy.

B.

Set group policy in a domain GPO to lock out accounts after three unsuccessful logon attempts.

C.

Set the Block Policy Inheritance on the group policy.

D.

Remove the local policies from each PC.

9.

You need to create a new GPO to enable settings for a particular OU. You open Active Directory Users and Computers and select the OU in the tree. What is the next step in the process of creating a GPO for this OU?

A.

From the Actions menu, select Create New GPO.

B.

Right-click on the OU and select Create New GPO.

C.

Right-click on the OU and select Properties.

D.

From the Actions menu, select Group Policy Object Editor.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781931836944500155

seaypeturber.blogspot.com

Source: https://www.sciencedirect.com/topics/computer-science/account-lockout