Click here to get back home

Keeping service accounts from locking
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Keeping service accounts from locking Scott Shoemaker 10-13-2006
Posted by Scott Shoemaker on October 13, 2006, 5:14 pm
Please log in for more thread options
 Hi,
We have a domain policy which dictates that locked accounts stay locked
until they are unlocked. Last week, a domain account that is used to run a
service got locked and brought an application down. So, is there any way to
specifiy on an individual account that it should not be locked? As a follow
on question, how is this accomplished on the Administrator account?

Thanks,
Scott

Posted by Steve Riley [MSFT] on October 13, 2006, 11:37 pm
Please log in for more thread options
 : quoted-printable

Actually, you should do away with account lockout. It's extremely =
expensive (research shows the cost to reset a locked account is US$70) =
and it creates a wonderful mechanism for an attacker to conduct =
denial-of-service attacks against individual accounts or perhaps even an =
entire domain.

Account lockout's only function is to mitigate password guessing attacks =
against weak passwords. If you use strong passwords, or -- better -- =
long passphrases, then you don't need account lockout.

_________________________________
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley

Hi,
We have a domain policy which dictates that locked accounts stay =
locked=20
until they are unlocked. Last week, a domain account that is used to =
run a=20
service got locked and brought an application down. So, is there any =
way to=20
specifiy on an individual account that it should not be locked? As a =
follow=20
on question, how is this accomplished on the Administrator account?

Thanks,
Scott
------=_NextPart_000_00A7_01C6EF07.5EE62B30
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<STYLE></STYLE>

<META content=3D"MSHTML 6.00.5750.0" name=3DGENERATOR></HEAD>
<BODY id=3DMailContainerBody=20
style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FONT-SIZE: 12pt; =
COLOR: #000000; PADDING-TOP: 15px; FONT-FAMILY: Cambria"=20
bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true" =
acc_role=3D"text"=20
name=3D"Compose message area">
<DIV>Actually, you should do away with account lockout. It's extremely =
expensive=20
(research shows the cost to reset a locked account is US$70) and it =
creates a=20
wonderful mechanism for an attacker to conduct denial-of-service attacks =
against=20
individual accounts or perhaps even an entire domain.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Account lockout's only function is to mitigate password guessing =
attacks=20
against weak passwords. If you use strong passwords, or -- better -- =
long=20
passphrases, then you don't need account lockout.</DIV>
<DIV><BR>_________________________________<BR>Steve Riley<BR><A=20
title=3Dmailto:steve.riley@microsoft.com=20
R><A=20
title=3Dhttp://blogs.technet.com/steriley=20
href=3D"http://blogs.technet.com/steriley">http://blogs.technet.com/steri=
ley</A><BR></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Scott Shoemaker" &lt;Scott <A=20
title=3Dmailto:Shoemaker@discussions.microsoft.com=20
=
.microsoft.com</A>&gt;=20
wrote in message <A=20
=
0224D-3BC1-4145-ACEE-C34F804CDA7C@microsoft.com</A>...</DIV>Hi,<BR>We=20
have a domain policy which dictates that locked accounts stay locked =
<BR>until=20
they are unlocked.&nbsp; Last week, a domain account that is used to =
run a=20
<BR>service got locked and brought an application down.&nbsp; So, is =
there any=20
way to <BR>specifiy on an individual account that it should not be=20
locked?&nbsp; As a follow <BR>on question, how is this accomplished on =
the=20
Administrator =
account?<BR><BR>Thanks,<BR>Scott</BLOCKQUOTE></BODY></HTML>

------=
Posted by MPerrault on October 14, 2006, 3:26 pm
Please log in for more thread options
Steve,

You can manage your accounts from a single counsel with Service
Explorer. one consol, you do a search for services you want to update,
and change account settings.

http://www.scriptlogic.com/products/serviceexplorer/


Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@scriptlogic.com
www.scriptlogic.com

On Oct 13, 2:14 pm, Scott Shoemaker <Scott
Shoema...@discussions.microsoft.com> wrote:
> Hi,
> We have a domain policy which dictates that locked accounts stay locked
> until they are unlocked. Last week, a domain account that is used to run a
> service got locked and brought an application down. So, is there any way to
> specifiy on an individual account that it should not be locked? As a follow
> on question, how is this accomplished on the Administrator account?
>
> Thanks,
> Scott


Posted by Joe Richards [MVP] on October 14, 2006, 8:32 pm
Please log in for more thread options
No you cannot set accounts to not lock. You either have the locking
policy or you don't. Some places will create an additional domain for
service accounts. A better solution is to use network service or local
service instead of userids or as Steve suggests get away from using
lockouts at all or change your use of them.

If you must have lockouts, consider switching to a short lockout
duration so that a lockout on the account doesn't completely black out
the service. This is an attack vector as indicated by Steve.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Scott Shoemaker wrote:
> Hi,
> We have a domain policy which dictates that locked accounts stay locked
> until they are unlocked. Last week, a domain account that is used to run a
> service got locked and brought an application down. So, is there any way to
> specifiy on an individual account that it should not be locked? As a follow
> on question, how is this accomplished on the Administrator account?
>
> Thanks,
> Scott

Posted by Scott Shoemaker on October 18, 2006, 5:16 pm
Please log in for more thread options
OK,
That is pretty much what I thought, but I appreciate the confirmation from
Steve and yourself. So, how is it that the Administrator account is not
subject to this policy?

-Scott

"Joe Richards [MVP]" wrote:

> No you cannot set accounts to not lock. You either have the locking
> policy or you don't. Some places will create an additional domain for
> service accounts. A better solution is to use network service or local
> service instead of userids or as Steve suggests get away from using
> lockouts at all or change your use of them.
>
> If you must have lockouts, consider switching to a short lockout
> duration so that a lockout on the account doesn't completely black out
> the service. This is an attack vector as indicated by Steve.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> Scott Shoemaker wrote:
> > Hi,
> > We have a domain policy which dictates that locked accounts stay locked
> > until they are unlocked. Last week, a domain account that is used to run a
> > service got locked and brought an application down. So, is there any way to
> > specifiy on an individual account that it should not be locked? As a follow
> > on question, how is this accomplished on the Administrator account?
> >
> > Thanks,
> > Scott
>

Similar ThreadsPosted
Hacker locking my accounts March 16, 2008, 5:02 pm
passwords Service accounts and services August 15, 2006, 6:41 pm
Disabling Interactibg Login for Service Accounts April 24, 2006, 8:14 pm
Restricting service accounts that have administrator privileges July 8, 2007, 12:10 pm
Additional restrictions for unprivileged service accounts July 11, 2007, 12:23 pm
Safe Keeping passwords July 6, 2005, 9:53 pm
Local Accounts vs Domain Accounts April 14, 2006, 3:48 pm
Priority: Users Home Laptops Brought In To Work (keeping them off company network) December 26, 2006, 12:13 pm
Administrator account locking out April 1, 2006, 9:22 am
Locking folders but NOT files. How? January 5, 2007, 9:20 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap