Lockout is the feature that automatically disables a user account once a pre-determined number of failed logon
attempts have occurred. Lockout is a primary defense against brute-force attacks. A brute-force attack attempts to log into a system with a known user account name by repeatedly trying different password combinations. Lockout works great against local physical access attempts and remote or network access attempts. However, lockout does not work against attacks through FTP.
Lockout should be a key part of an organization's security policy. There are three elements to defining the lockout policy:
- Failed logon attempts -- the number of times a logon can fail before the account is locked out.
- Lockout duration -- the length of time an account is locked out. If this is set to infinite then an administrator or account manager must re-enable the account manually.
- Failed logon counter reset interval -- the length of time before the count of failed logons is reset to 0.
In most cases, a lockout duration of 15 minutes is more than sufficient to thwart a brute-force attack, but at the same time, not require the intervention of an administrator every time a user fumbles their logon multiple times. Most organizations allow three-to-five failed logon attempts before disabling the user account and a counter reset interval of 15 to 30 minutes.
Lockout by itself is a useful deterrent, but it should always be combined with logon auditing. Without a record of the activity in the Security Event Log, you will have no way of knowing the who, when and where of an account being locked out. If integrated with an intelligent intrusion-detection system (IDS), the audit trail and lockout feature can often pinpoint the cracker or the compromised system automatically.About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
Related book Authentication: From passwords to public keys
By Richard E. Smith
This book gives readers a clear understanding of what an organization needs to reliably identify its users and how the different techniques for verifying identity are executed.