HP StorageWorks X5000 Technical Manual page 14

Nas security: technical guide to nsa, c2, e3-fc2, and cc security compliancy

Hide thumbs Also See for StorageWorks X5000:

Release note (39 pages)

Limited warranty (76 pages)

Support manual (17 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

page of 156

/ 156
Contents
Table of Contents
Bookmarks

Table of Contents

Domain Member

Default

0 invalid login attempts

The Account lockout threshold setting determines the number of attempts that a user can make to log

on to an account before it is locked. Authorized users can lock themselves out of an account by

incorrectly entering their password, or by changing their password on one computer while logged on

to another computer. The computer with the incorrect password may continuously try to authenticate

the user, and because the password it is using to authenticate is incorrect, the user account is

eventually locked out. To avoid locking out authorized users, set the account lockout threshold to a

high number. Because vulnerabilities can exist both for when the value for this setting is configured

and when and it is not, distinct countermeasures for each of these possibilities are defined. Company

organizations should weigh the choice between the two based on the identified threats and the risks

they are trying to mitigate.

To prevent account lock outs, set the value for Account lockout threshold setting to 0. Setting

•

the Account Lockout Threshold setting to 0 helps reduce help desk calls because users can not

accidentally lock themselves out of their accounts and it will prevent a DoS attack aimed at

intentionally locking out accounts within the company. Because it will not prevent a brute

force attack, choose this setting only if both of the following criteria are explicitly met:

The password policy forces all users to have complex passwords made up of eight or

more characters.

A robust auditing mechanism is in place to alert administrators when a series of

account lockouts are occurring in the environment. For example, the auditing solution

should monitor for security event 539 which is, "Logon failure.The account was

locked out at the time the logon attempt was made". This event means that the

account was locked out at the time the logon attempt threshold was made. However,

event 539 only shows an account lockout, not a failed password attempt. Therefore,

administrators should also monitor for a series of bad password attempts.

If these criteria are not met, the second option is to configure the Account lockout threshold

•

setting to a high enough value to provide users with the ability to accidentally mistype their

password several times without locking themselves out of their accounts, while ensuring that a

brute force password attack will still lock out the account. In this case, setting the invalid

logon attempts to a high number such as 50 ensures adequate security and acceptable

usability. This setting value will prevent accidental account lockouts and reduce help desk

calls, but will not prevent a DoS attack as mentioned above. This guide recommends setting

the value to 10 invalid login attempts in the High Security environment.

Account Lockout Threshold

Legacy Client

50 invalid login

attempts

Enterprise Client

50 invalid login

attempts

High Security Client

10 invalid login

attempts

Table of Contents

This manual is also suitable for:

Nsa security compliancy C2 security compliancy E3-fc2 security compliancy Cc security compliancy

HP StorageWorks X5000 Technical Manual page 14

Related Manuals for HP StorageWorks X5000

Related Products for HP StorageWorks X5000

This manual is also suitable for:

Table of Contents