BENEFITS AND DISADVANTAGES OF ACCOUNT LOCKOUTS
Account lockout is the process of automatically disabling ("locking") a user account based on certain criteria such as too many failed logon attempts. The purpose behind account lockout is to prevent attackers from brute-force attempts to guess a user's password - too many bad guesses and you're locked out.
On the one hand, account lockout provides a good base for implementing secure password policies as it makes quite impossible for an attacker to perform password guessing (also known as brute-force) attacks against user account passwords. Typical value for Account Lockout Policy (suggested by Microsoft in their Account Lockout Best Practices white paper) automatically locks user accounts after 10 invalid logon attempts, preventing further logons for 30 minutes. Then after 30 minutes elapse, the attacker gets another 10 attempts, but obviously it will take thousands of years to successfully crack the password. Combined with Password Policy, namely 'Maximum Password Age' setting, which forces users to change password periodically (e.g. every 30 days), this creates virtually bullet-proof password security.
On the other hand, imagine the situation when user returns from long vacation and tries to remember his or her password, doing a number of guesses, and exceeds given number of attempts. Or the user can just mistype password 10 times at once simply because he hasn't had his coffee yet. This makes account locked out and follows with a call to helpdesk, consuming expensive business resources, both in terms of the time spent resolving this issue and the loss of employee productivity. Password expiration brings another challenge – once password is changed, it gets updated in Active Directory, but nowhere else. What does it mean? Ideally, users change their passwords in the beginning of business day, during first logon. But in practice passwords expire at any time and the old password still remains in use in many places by active user sessions, batch processes, mapped network drives and others. Most complicated scenarios occurs when critical system services and scheduled tasks continue to use stale credentials constantly making their account locked out without giving any visual indication – the applications start behaving unpredictably and services will eventually fail.
THE CHALLENGE OF ACCOUNT LOCKOUT MANAGEMENT
Needless to say, account lockout is a must have feature for all modern networks and failing to implement that you are putting your entire organization's security at big risk. But how to deal with all complications related to account lockout issues?
Let's first divide common reasons for account lockouts into major categories and then describe typical workflows. Categories are:
1) Human factor - user mistyped or forgot his or her password.
2) Machine factor - system services, background applications and similar objects that use stale credentials.
3) External factor - brute-force attacks attempting to break your network security.
4) Other reasons - e.g. failure of Active Directory replication.
Human Factor
Mistyped or forgotten password is the most common scenario, which happens all the time and creates many helpdesk tickets, however is quite straightforward to resolve: helpdesk person obtains account name from user, asks some verification questions (e.g. mother's maiden name or place of birth) and first tries to unlock the account, in case the user can still remember the password. If the user can't remember, helpdesk person sets new temporary password, user logs on and prompted for new password by the system.
Tricky part here is a secret question/answer pair – special database shall be maintained which associates user accounts and their secrets. If you don't implement verification procedure, you lose security, since potentially anyone can contact helpdesk, request password reset and easily logon to the network, gaining access to confidential business data. User verification is also a part of Sarbanes-Oxley (SOX) compliance with regards to secure organization environment.
Machine Factor
As stated above, such issues arise when services and applications continue to use old password after it was changed because of password expiration policy requirements. New password must be applied to every place where account is referred, failing to do this results in account lockout, since programs accessing protected resources request authentication on domain controllers using old credentials and domain controllers enforce lockout policy. Other ways account can get locked out include:
- Stale logon credentials cached by Windows.
- Scheduled tasks setup under stale credentials.
- Network shares mapped under stale credentials.
- Disconnected terminal service sessions that use stale credentials.
- Users logging into multiple computers at once and changing password on one of them.
