Danny Sanders wrote:
> I agree with Meinolf, they should not know the username for the
> service accounts and if they do and try to hack it by typing in
> random passwords. there should be a written policy (that the user
> signs) that outlines the fact that they should only be using their
> own account to log into the company network anf if they use someone
> elses account, that would be grounds for termination.
>
Agree with you both but playing a little devils advocate. Often there are
authenticated users on the inside with the knowledge and skills to ascertain
service account names and have fun and games with disruptive behavior. Many
orgs too often are over generous with various 'guest' type accounts that are
difficult to find accountability for such actions.
Anyway, I've always thought lockouts should be applied to specific sources
of failed authentication attempts and not globally as they are now. Guess I
should get off my duff and DCR it before V.next gets too far along.
Back to the tools at hand. In 2008 service accounts can be part of a fine
grained password policy that has a different lockout policy and mitigate
this to a degree.
Better yet is R2 and use managed service accounts.
.... but I'd still like to see the lockout behavior changed to limit the
scope of any such attempt to deny services.
>
> hth
> DDS
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:. com...
>> Hello Phil,
>>
>> Why should they do this? Normally they don't know the accounts you
>> use for this or do you list all accounts and there needs on the web?
>> And if your users are trying to hack the network, well basically
>> this should be a reason to say good bye to them.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Thanks for the reply. How would you recommend that I stop a user
>>> from typing that service account username into their login prompt
>>> with a bad password 5 times and locking out the service account on
>>> purpose (very simple denial of service attack)?
>>>
>>> Thanks,
>>>
>>> Phil
>>>
>>> <Meinolf Weber [MVP-DS]> wrote in message
>>> news:. com...
>>>
>>>> Hello Phil,
>>>>
>>>> A service account should be configured only with the really needed
>>>> permissions and user right assignments in the GPOs, basically
>>>> domain user. Then set a loooonnnnggg strong password and configure
>>>> the user account properties to "Password never expires".This
>>>> account shouldn't be known/used by anyone except the domain admins
>>>> and you are done. Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Since the default domain policy in Windows 2003 only allows one
>>>>> account lockout policy for ALL users in a domain, what is the best
>>>>> way to ensure that accounts used to run services don't get locked
>>>>> out by users typing them in accidentally (or maliciously) at a
>>>>> logon prompt with the wrong password (and thereby locking out the
>>>>> account and bringing down whatever services the account runs).
>>>>>
>>>>> The only thing I can think of is to use the Logon Workstations
>>>>> restriction on these service accounts to restrict them from being
>>>>> used anywhere but on the machine that houses the services they are
>>>>> used to run.
>>>>>
>>>>> Any other ideas?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Phil
--
/kj
Similar Threads
Linear Mode
