The Business Case for Account Lockout Management

White Paper: The Business Case
for Account Lockout Management written by NetWrix Corporation
r
© Copyright NetWrix Corporation. 2007. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of NetWrix Corporation. WARRANTY The information contained in this document is subject to change without notice. NetWrix Corporation makes no warranty of any kind with respect to this information. NETWRIX SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NetWrix Corporation shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. http://www.netwrix.come-mail: contact@netwrix.com phone: +1.888.NETWRIX (888.638.9749) Updated-August 20, 2007
2 of 2 The Business Case for Account Lockout Management
CONTENTS
CONTENTS 1 
INTRODUCTION 2 
BENEFITS AND DISADVANTAGES OF ACCOUNT LOCKOUTS 3 
THE CHALLENGE OF ACCOUNT LOCKOUT MANAGEMENT 4 
THE COST OF ACCOUNT LOCKOUT 5 
AUTOMATED SOLUTION APPROACH 6 
CALCULATING RETURN ON INVESTMENT 7 
CONCLUSION 8 
ABOUT NETWRIX CORPORATION 9 
NOTES 10 
1 of 10 White Paper
INTRODUCTION How many help desk calls you get from users asking to reset their passwords? How much you spend on administrative staff just to handle account lockout issues? Loss of productivity, lots of frustrated users, huge administrative burden are just some of inevitable implications of implementing a strong password policy which is business critical to succeed today. You're not alone - recent research shows, in most organizations, more than 30% of helpdesk activity caused by account lockout issues. So, should you just give up to user complaints or there is a better way to keep up strong security requirements and effectively resolve account lockouts at the same time? Of course you can simplify password policies and reduce costs associated with your helpdesk, allowing easy to remember, non-secure passwords which never expire. But obviously, such practices make enterprise more vulnerable and introduce some other undesired effects. This white paper covers account lockout management process and introduces new cost-effective workflows of account lockout resolution, describing significant ROI enterprises can achieve through the use of automated management solutions.
2 of 10 The Business Case for Account Lockout Management
BENEFITS AND DISADVANTAGES OF ACCOUNT
LOCKOUTS Account lockout is the process of automatically disabling ("locking") a user account based on certain criteria such as too many failed logon attempts. The purpose behind account lockout is to prevent attackers from brute-force attempts to guess a user's password - too many bad guesses and you're locked out. On the one hand, account lockout provides a good base for implementing secure password policies as it makes quite impossible for an attacker to perform password guessing (also known as brute-force) attacks against user account passwords. Typical value for Account Lockout Policy (suggested by Microsoft in their Account Lockout Best 1Practices white paper ) automatically locks user accounts after 10 invalid logon attempts, preventing further logons for 30 minutes. Then after 30 minutes elapse, the attacker gets another 10 attempts, but obviously it will take thousands of years to successfully crack the password. Combined with Password Policy, namely 'Maximum Password Age' setting, which forces users to change password periodically (e.g. every 30 days), this creates virtually bullet-proof password security. On the other hand, imagine the situation wh... [download for more]