[Mobi]

Hi guyz,



I was going through the security check list of NIST for Windows 2003 server and I think it will be helpful if I enable the account Lockout policy say after three consecutive attempts. But I have three questions in mind.



1. If I enable this policy on our Domain Sever then will it be helpful in case of user is trying to connect through the IPC$ shares of C,D drives or Admin shares???



2. Will it work for Remote Desktop users as well as terminal logon or logon through service or script??



3. If I enable this policy then say I try to connect to a computer through remote desktop and I use the "Bob" user name who is in the domain admin group or any other user (instead if mine) and give three consecutive bad passwords so what will happen?? The "Bob" account will be locked out or my account will be locked out??

[Advertisements]

1. If I enable this policy on our Domain Sever then will it be helpful in case of user is trying to connect through the IPC$ shares of C,D drives or Admin shares???

i'm not 100% sure what you're asking here...but the only people who can connect to the admin shares are admins in your domain or locally on the machine in question...that's why they're called admin shares..

2. Will it work for Remote Desktop users as well as terminal logon or logon through service or script??

yes to all of those...any logon attempt is subject to the lockout policy no matter what method they use....in fact if you've got OWA (outlook web access) on your exchange server and the user types in their password wrong enough times (whatever your lockout threshold is) when trying to check their email from outside the building it will lock out their account

3. If I enable this policy then say I try to connect to a computer through remote desktop and I use the "Bob" user name who is in the domain admin group or any other user (instead if mine) and give three consecutive bad passwords so what will happen?? The "Bob" account will be locked out or my account will be locked out??

yes you could lock out any account this way assuming you know the account name and can make a remote connection. just be sure to set a reasonable lockout duration (the default is 30 minutes)

Edit: on the last one...you would lockout the account that you tried to log on as with the remote session not the one you were logged in as to start the remote session

[dsenette]

1. If I enable this policy on our Domain Sever then will it be helpful in case of user is trying to connect through the IPC$ shares of C,D drives or Admin shares???

i'm not 100% sure what you're asking here...but the only people who can connect to the admin shares are admins in your domain or locally on the machine in question...that's why they're called admin shares..

2. Will it work for Remote Desktop users as well as terminal logon or logon through service or script??

yes to all of those...any logon attempt is subject to the lockout policy no matter what method they use....in fact if you've got OWA (outlook web access) on your exchange server and the user types in their password wrong enough times (whatever your lockout threshold is) when trying to check their email from outside the building it will lock out their account

3. If I enable this policy then say I try to connect to a computer through remote desktop and I use the "Bob" user name who is in the domain admin group or any other user (instead if mine) and give three consecutive bad passwords so what will happen?? The "Bob" account will be locked out or my account will be locked out??

yes you could lock out any account this way assuming you know the account name and can make a remote connection. just be sure to set a reasonable lockout duration (the default is 30 minutes)

Edit: on the last one...you would lockout the account that you tried to log on as with the remote session not the one you were logged in as to start the remote session