Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

What account Lockout Policy can and cannot do?


  • Please log in to reply

#1
Mobi

Mobi

    Member

  • Member
  • PipPip
  • 52 posts
Hi guyz,



I was going through the security check list of NIST for Windows 2003 server and I think it will be helpful if I enable the account Lockout policy say after three consecutive attempts. But I have three questions in mind.



1. If I enable this policy on our Domain Sever then will it be helpful in case of user is trying to connect through the IPC$ shares of C,D drives or Admin shares???



2. Will it work for Remote Desktop users as well as terminal logon or logon through service or script??



3. If I enable this policy then say I try to connect to a computer through remote desktop and I use the "Bob" user name who is in the domain admin group or any other user (instead if mine) and give three consecutive bad passwords so what will happen?? The "Bob" account will be locked out or my account will be locked out??
  • 0

Advertisements


#2
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP

1. If I enable this policy on our Domain Sever then will it be helpful in case of user is trying to connect through the IPC$ shares of C,D drives or Admin shares???

i'm not 100% sure what you're asking here...but the only people who can connect to the admin shares are admins in your domain or locally on the machine in question...that's why they're called admin shares..

2. Will it work for Remote Desktop users as well as terminal logon or logon through service or script??

yes to all of those...any logon attempt is subject to the lockout policy no matter what method they use....in fact if you've got OWA (outlook web access) on your exchange server and the user types in their password wrong enough times (whatever your lockout threshold is) when trying to check their email from outside the building it will lock out their account

3. If I enable this policy then say I try to connect to a computer through remote desktop and I use the "Bob" user name who is in the domain admin group or any other user (instead if mine) and give three consecutive bad passwords so what will happen?? The "Bob" account will be locked out or my account will be locked out??

yes you could lock out any account this way assuming you know the account name and can make a remote connection. just be sure to set a reasonable lockout duration (the default is 30 minutes)

Edit: on the last one...you would lockout the account that you tried to log on as with the remote session not the one you were logged in as to start the remote session
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP