Latest Blog Posts

We're members of the

We've ridden there:

Demo

Layne's certifications:

 

Usernames and passwords are common credentials used during authentication. The username identifies the user, while the password is used for authentication to prove identity.

Method Description
Account lockout Account lockout disables a user account after a specified number of incorrect logon attempts.
  • The Account lockout threshold (also called the clipping level) identifies the number of incorrect logon attempts that are allowed before the account is locked.
  • The Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. When set to 0, an administrator must unlock the account.
  • The Reset account lockout counter after setting identifies the period of time during which invalid passwords are entered. For example, if this value is set to one hour, and the account lockout threshold is set to 5, the user can enter up to 4 incorrect passwords within an hour without the account being locked.
Account lockout can be used to prevent guessing of passwords by attackers, but can also be used maliciously to lock an account and prevent a valid user from logging on.
Account restrictions Account restrictions place restrictions upon the use of a user account for logon. For example, you can:
  • Allow login only during certain days and hours.
  • Allow login only from specific computers.
  • Create expiration dates for user accounts for temporary users to prevent them from being used past a certain date.
  • Disable accounts that are not being used to prevent login. For example, you can disable accounts for employees who have left but who have not yet been replaced, or users who are gone for extended periods of time (such as a long vacation or leave of absence).
Account (password) policies Account policies control the composition and use of passwords.
  • The maximum password age requires users to change the password after a given length of time.
  • The password history requires users to enter unique passwords when changing the password. The password history keeps track of the last several passwords, and prevents users from re-using any recent passwords.
  • The minimum password age is a defined time period following a password change, during which a user may not change their password. This prevents users from reverting back to their original password immediately after they have changed it.
  • The minimum password length identifies the minimum number of characters in a password.
  • A complex password prevents using passwords that are easy to guess or crack. On a Microsoft system, complex passwords:
    • Must be over 7 characters or more.
    • Must include a minimum of three of the four types of special characters (e.g., lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *).
    • Cannot use dictionary words or any part of the user login identification.
    Note: Longer passwords is the single best rule to enforce when designing complex passwords.

Be aware of the following for controlling user account and password security:

  • For large environments, implement a password management system with a self-service password reset management system. This allows users to change their own passwords and ensures that only they know them. In a system where administrators hand out passwords that users cannot change, passwords are very insecure. In this type of arrangement, no matter how complex the password may be, more than one person knows what it is, and that can affect the security of the system.
  • Implement account auditing to track incorrect logon attempts. Small numbers of incorrect logon attempts occur naturally as users mis-type or forget passwords. Large numbers of incorrect logon attempts could identify a potential hacker trying to guess passwords.
  • Scan systems to identify unused user accounts or accounts with blank passwords.
  • When implementing account lockout and account policies on Microsoft systems:
    • The local security policy controls policies for user accounts defined on a local system.
    • Policy settings in Group Policy are linked to the domain control settings for all user accounts in the domain. Settings defined at other levels in Group Policy do not affect password or account lockout settings.
  • Disable and/or remove unnecessary accounts installed on the operating system by default or specific user accounts which are no longer needed.