Account Lockout Policy

Discussion in 'Windows Small Business Server' started by Brandon S., Dec 8, 2004.

  1. Brandon S.

    Brandon S. Guest

    Where should the account lockout policy be applied (how many bad login
    attempts are allowed, etc.)? I assumed it should be applied to the Default
    Domain Policy, but after applying it there, it doesn't have any affect.
     
    Brandon S., Dec 8, 2004
    #1
    1. Advertisements

  2. Consider this with account lockouts....

    If I can find out the netbios name of your web server, then I know the
    anounymous user account and "iwam" accounts which would be IUSR_servername
    and IWAM_servername. So then all I have to do is find a way to get the
    server to accept credentials,...I then send the *wrong* password (easy since
    I don't know it anyway) over and over till I lock out the account. The web
    services now go bonkers because the IUSR and IWAM accoutns are now shut
    down. It wouldn't matter how many attempts you set it to, I would just keep
    sending bad credentials until it finally locked out.

    Account "lock outs" are a DOS attack waiting to happen.
     
    Phillip Windell, Dec 8, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.