7

The default behaviour of windows is to lockout an account after a number of failed authentication attempts (usually three)..

This means that with the following

net use \\targetmachine\c$ /user:targetaccount notthepassword
net use \\targetmachine\c$ /user:targetaccount notthepassword
net use \\targetmachine\c$ /user:targetaccount notthepassword

You can lock out a user and potentially even take down an entire company if none of the accounts have the "This account can never be locked out" checked.

Is this security "feature" really a denial of serice attack enabler ? And should this be disabled by default.

An organisation is particularly vunerable with this to the rogue employee scenario.

Bruce McLeod
  • 1,738
  • 2
  • 14
  • 12

4 Answers4

5

I wasn't aware that this is default behavior, and it is definitely a denial of service waiting to happen. Temporary lockout (or simple slow-down) is usually sufficient to fend off brute force attacks (There's a lot of discussion on this topic, I can remember a few StackOverflow questions dealing with this, more in the area of website logins though). Yes, they're also a potential denial of service, but only for the duration of the attack.

I don't agree completely with Dave Cheney, while you should be concerned with physical security, a disgruntled employee (more often an issue at larger companies than at smaller) and a borrowed (trusted hardware) login-screen is all it takes to lock down vital functions of the company, so I don't believe it to be sufficient.

falstro
  • 2,675
  • 3
  • 18
  • 10
4

Yes, it is a potential denial of service attack. That's why the Microsoft recommendations in the Windows Server 2003 Security Guide have password unlock set for 15 minutes. NSA was the first I saw to really propose using password unlock, and that was back in the Windows 2000 days.

However, if you have a password unlock, the problem is the attacker is still out there, meaning the attacker can still try and crack passwords (if that's the real intent). The key is to figure out where the attack is coming from and shut it down. Once you've done that, execute a script to automatically unlock all the accounts.

K. Brian Kelley
  • 9,004
  • 31
  • 33
  • You could even lower the unlock-time to a couple of minutes. You want it to be low enough to keep people from calling support, but high enough to stop automated attacks. And just adding one minute delay per 3 tries will slow an automated attack considerably. – Commander Keen May 12 '09 at 23:26
3

Is it a potential denial of service attack, yes

Should you disable it? No, you should look at the physical security problem that let untrusted hardware onto your network.

Dave Cheney
  • 18,307
  • 7
  • 48
  • 56
0

I don't know which version of Windows you are talking about, but Windows 2003 has the default domain lockout threshold set to 0, which means lockouts are not enabled.

PowerApp101
  • 2,604
  • 1
  • 20
  • 28