Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can user account be locked out in case of access right violation?


  • Please log in to reply

#1
Mobi

Mobi

    Member

  • Member
  • PipPip
  • 52 posts
Hi,

Yesterday I posted a question whether the account lock out policy should be enabled or not in a domain environment. What I found that in enabling an account policy specially in domain environment any user can use this policy to launch a Denial of Service DoS attack by using a script and launch it for any particular user so that particular user will be lock out.

But this is not what I want. So what I want to ask is that is it possible that we can disable a user account if he does an access right violation on a particular folder in a domain environment.

I have implemented access right on our shared folder on the role basis with need to know and least privileges principle. I have also deployed GFI Event manager for monitoring in case of user try to take the ownership of that folder or a user tries to access an unauthorized folder. In any such event I got email alert about the user who tried to access that folder, his name, domain and folder name.

Ok but now what to do when a user has tried to access an unauthorized folder? Is there any way that I can configure on the DC setting such a policy that in case of any such event say user "Bob" tries three or four consecutive failure to that folder, the user account be locked out?
  • 0

Advertisements


#2
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP

Yesterday I posted a question whether the account lock out policy should be enabled or not in a domain environment. What I found that in enabling an account policy specially in domain environment any user can use this policy to launch a Denial of Service DoS attack by using a script and launch it for any particular user so that particular user will be lock out.

i'm going to have to dig up that topic....but

this is kind of silly...to do a DOS attack on an INTERNAL user someone INSIDE your network would need to be doing the DOS attack....unless you've got a really unsecured network connection and some really easy to predict user names...

PLUS the account lockout policy has threshold settings...you can set how many times they have to try before getting locked out, and how long the lockout lasts....if you set these right there's no issue...

also IF someone is doing a DOS attack on a user in your network you can easily unlock the user after you find the source of the intrusion

i don't think that this is a valid concern at all


Ok but now what to do when a user has tried to access an unauthorized folder? Is there any way that I can configure on the DC setting such a policy that in case of any such event say user "Bob" tries three or four consecutive failure to that folder, the user account be locked out?

to my knowledge there's no way to do this automatically...you'd need to do it manually


in case of user try to take the ownership of that folder or a user tries to access an unauthorized folder.

if your permissions are set correctly neither of these can be an issue...never give anyone but the administrator full control and never give anyone but the administrator the option to take ownership....you can't take ownership of a folder/file if that right is denied....and the whole point of folder permissions is to keep the unauthorized out....so the only way for them to get in would be to compromise an account with elevated permissions
  • 0

#3
Mobi

Mobi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

this is kind of silly...to do a DOS attack on an INTERNAL user someone INSIDE your network would need to be doing the DOS attack....unless you've got a really unsecured network connection and some really easy to predict user names...


What I mean was that we are in the domain enviroment and the users name are known to each other I mean, for example Andy brown the user name will be Andy.brown@pak.com. So knwoing the login user name is not a big deal in our enviroment. But of course the default Admin name of server will be changed.

to my knowledge there's no way to do this automatically...you'd need to do it manually


Actually I was thinking that a account lock out policy enabled its definately changes some of the registry settings? Isn't it? And if so then I can make my own group policy that can be triggered for a particalur folder access rights violation. The same event can be attached with the folder that works with bad password or user name.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP