THE OFFICIAL BLOG OF THE SBS DIVA

My $0.02 - I think the real crux of the suggestions was that a better password gives you more security than an "account lockout" protected worse password.

Even in Small Server land, if you get someone hooking up a laptop to your network (or worse, just roaming within range of your unprotected access point) and the laptop has Gaobot or Agobot or whatever other malware that tries a password attack, you'll quickly find accounts locked out (check out the description of what they do here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAGOBOT%2EGEN&VSect=T
)...

Maybe the cost of undoing a lockout isn't so great, but a good password policy (strong passwords, reasonable rotation schedule) trumps the protection afforded by lockouts, for my money.

(Maybe add WPA-PSK (or even WEP) to avoid the casual wireless network walk-in problem)

Hello Susan (and Tristank),
I think there's a bit of misunderstanding what Dr J and Steve were referring to.

I believe that that the DoS they are talking about is when the machine takes itself and <all> its functionality offline for a period of time, not just a specific account.

So, from their perspective the lesser of evils is to avoid a DoS since it could be a severe incident and this could have a severe impact on both large and small networks.

Beyond that, I would agree with you but for different reasons... IMO the downside of experiencing a DoS is hardly comparable to risking Security Compromise. A DoS would be hard to ignore and if it happens, you should be fixing the source of the DoS, not permitting a cracking attack to continue.

Naturally, there are exceptions to what I opine, ie. If the network is critically important to systems and people so that you absolutely need at least 5 nines QoS.

I also missed any reference they may have made to a website but if they did I also don't think they were likely talking about web servers and related services specifically, they would probably have been making a point about <any> perimeter servers.

BTW Tristank... Be aware that WEP is thoroughly busted regarding security and WPA-PSK is under a cloud (Since the key never changes and is used for <all> validated sessions, it's thought to be easily decoded). Implement 802.1x with RADIUS for security currently thought to be unbreakable. Some implementations will even change certificates/encoding every few minutes while you're connected.

Tony

Hello Susan,
I got to thinking that I could be wrong and not yourself regarding the Account Lockout policy so I did some testing and researching...

And, my face is red.

My concept of a "Machine Lockout" rather than an "Account Lockout" is wrong.

But, it still doesn't change my opinion about whether a DoS should be avoided in favor of permitting unrestricted cracking...

Tony

Tony - I was covering methods of preventing "accidental" lockouts by having an unsecured access point and an infected client simply roaming within range.

If you have a crappy password (even a 5 character one) as your WEP key, it's still better than allowing anyone walking past onto the network without even guessing at it!

If your threat scenario is a dedicated attacker trying to hit the network, the response (and the time you invest in setting up WPA w/ RADIUS and Cert Services) is different.