Geeks With Blogs

News


My blog is worth $14,678.04.
How much is your blog worth?


Totzkeeeeee's Blog Just because I can...

On its face, enabling the account lockout policy seems like a good idea.  Get the password wrong (n) times and you’re ok, get it wrong (n + 1) times and your account is locked out for a period of time; typically 30 minutes.  Sometimes a call to the help desk is required to reset the password if the lockout duration has not been defined.  Even if it is defined, most users are not likely aware of the policy and call anyways.  Even if they are aware of it, how many users do you know that can afford to sit around doing nothing for 30 minutes?

The policy assumes that an attacker has some form of physical access to the network and is trying to brute-force guess passwords.  Again, this sounds like something you’d like to slow down.  But what if the goal isn’t to guess passwords but simply to effect a denial-of-service?  We don’t even have to assume a malicious “hacker”.  Maybe somebody just wants to hassle one of their co-workers.  All they need to do is try and logon as them 4 or 5 times and their account gets locked out.  The neat part is that the target of the attack won’t notice until the next time they logon or try to access a network resource for the first time.  At that point they will probably think they did it to themselves.

I’ve actually been doing it to myself this week.  I am at a client site where I’ve been before but my password has been reset since I was here last.  I use my own equipment and am not part of the domain so everything I access here uses pass-through authentication and cached credentials.  Credentials are cached on a per resource basis.  Connecting to a file share on one machine with a domain account will not automatically allow me to connect to other resources even though I may have access permission.  I connect to 4 or 5 different machines here at one time or another.  The first time I try to connect to a resource windows tries to use cached credentials which fail because they have the old password.  Maybe I get the password wrong one myself and suddenly even when I type it really, really slowly I still get denied.

There’s not shortage of legitimate sources of account lockout either.  Here is a bunch of other ways in which account lockout can be triggered:

  • Applications using cached credentials that are stale.
  • Stale service account passwords cached by the Service Control Manager (SCM).
  • Stale logon credentials cached by Stored User Names and Passwords in Control Panel.
  • Scheduled tasks and persistent drive mappings that have stale credentials.
  • Disconnected Terminal Service sessions that use stale credentials.
  • Failure of Active Directory replication between domain controllers.
  • Users logging into two or more computers at once and changing their password on one of them.

You can view and manage your stored credentials using the Credential Manager in Windows Vista/7 (Control Panel –> User Accounts and Family Safety –> Credential Manager or via the User Accounts Control Panel applet in Windows XP.  (Control Panel –> User Accounts –> [User Account] and select Manage My Network Passwords in the Related Tasks)

Well, my account should be enabled again now.  Hopefully I’ve taken care of all of the cached credentials that were giving me trouble.

Dave
Just because I can…
(Woo hoo!  I’m in!)

Posted on Monday, August 30, 2010 8:52 AM | Back to top


Comments on this post: Account Lockout Policy == DoS

Comments are closed.
Comments have been closed on this topic.
Copyright © David Totzke | Powered by: GeeksWithBlogs.net