Domain Level: Hardening The Domain Infrastructure Account Lockout Policy - HP StorageWorks X5000 Technical Manual

Domain Member
Default
Disabled
The security setting for Store password using reversible encryption determines whether the operating
system stores passwords using reversible encryption or not. This policy supports applications using
protocols requiring the user's password for authentication purposes. Passwords stored using reversible
encryption can be retrieved more easily than passwords stored without this option, increasing
vulnerability. For this reason, never enable this policy unless application requirements outweigh the
need to protect password information. Challenge-Handshake Authentication Protocol (CHAP) through
remote access or IAS and Digest Authentication in IIS both require this policy.
2.5 Domain Level: Hardening the Domain Infrastructure Account
Lockout Policy
The Account lockout policy is a Windows Server 2003 security feature that locks a user account after
a number of failed logon attempts occur within a specified time period. The number of attempts
allowed and the time period are based on the values configured for the security policy lockout
settings. A user cannot log on to a locked account. Windows Server 2003 tracks logon attempts, and
the server software can be configured to respond to this type of potential attack by disabling the
account for a preset number of failed logins. These security policy settings help prevent attackers from
guessing user passwords, and they decrease the likelihood of successful attacks on the network. The
values in the following sections can be configured in the Domain Group Policy at the following
location:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account
Lockout Policy
Domain Member
Default
Not defined
The Account lockout duration setting determines the length of time before an account is unlocked and
a user can try to log on again. The setting does this by specifying the number of minutes a locked out
account will remain unavailable. Setting the value for the Account lockout duration setting to 0, keeps
the accounts locked out until an administrator unlocks them. The Windows Server 2003 default value
for this setting is Not Defined. While configuring the value for this setting to never automatically
unlock may seem like a good idea, doing so may increase the number of calls the company help desk
receives to unlock accounts that were locked by mistake. Setting the value for this setting to 30
minutes for the Legacy and Enterprise Client environments and 15 minutes for High Security level
decreases the amount of operation overhead during a denial of service (DoS) attack. In a DoS attack,
the attacker maliciously performs a number of failed logon attempts on all users in the organization,
locking out their accounts. This setting value also gives locked out users the chance to log on again in
30 minutes, a period of time they are more likely to accept without resorting to the help desk. This
guide recommends setting the value to 15 minutes in the High Security environment.
Store Password Using Reversible Encryption
Legacy Client
Disabled
Account Lockout Duration
Legacy Client
30 minutes
13
Enterprise Client
Disabled
Enterprise Client
30 minutes
High Security Client
Disabled
High Security Client
15 minutes