> I can understand why someone might want to be able to lock > out the administrator account, but isn't it a potential DoS > if I can lock out EVERY account in the domain?
Any account lockout policy opens you to a potential DoS, Administrator account being included or not. Example: one of my credit card companies implements a three-attempt lockout policy for the web interface they provide for customers to manager their CC accounts. I have a LOT of logins and a lot of passwords, and I don't always remember the correct combination for every site I hit, especially those I use infrequently. I've only used that CC company's web UI three times due to the fact that they have what I consider to be a ridiculous lockout policy that I've been hit by every time I've used their web site. If your account gets locked out on this particular site, you have to call customer service and sit on hold for eons, then get somebody to reset your password, log in using it, change your password (and their history requirements mean that you can't even reset it to what you thought was your password for that account because the history is so long that you're likely to try to use one that you had, at some point, actually used for the account) and then do your thing. This whole process infuriates me because I think it's ridiculous that they have a policy that restrictive in place, so I don't use their web UI, and I don't use that credit card, either, because I'm tired of the B.S. involved with their lockout policy and it preventing me from managing my account online. Could I simply write down my user credentials for that site? Sure, but the problem there is that I have to remember that this site is one where I forget my credentials, then remember where I wrote down the username/password, then remember whether or not I changed it in my cheat sheet after my last lockout-and-reset, etc. Besides, I just don't like writing down my credentials. Their overly restrictive lockout policy loses them money, because even if I'm the only person who doesn't use their credit card because of this annoyance, they're still losing MY business. I don't use that credit card. One of these days I'll get around to cancelling it- the last time I called to do so, they gave me all kinds of goodies to try to convince me to stay, so I gave in. Next time I think of it, though, I am just going to cancel it. And I *will* be cancelling it solely because of their lockout policy and the hassles it causes me. Not because of the interest rate, credit limit, or anything else related to the actual credit card. I'll cancel it purely because I am sick and tired of having to dig up their customer service number and go through all the hold-wait-verification crap just to get them to give me a temporary password that I'm then going to spend fifteen minutes trying to change to something that I can remember- which brings me back to why I forget the stinking thing in the first place.) My real point is this- I can go to their site and start typing in random usernames that are highly likely to be in use (jsmith, lrobinson [I *know* this one is in use because I wasn't able to choose it as my username since it's in use by somebody else already], jjones, etc.). I do this three times and I've locked out that customer. If I feel like it, I can either automate this or I can just sit there typing junk until the cows come home, and I've just denied service to every single one of those customers whose usernames I tried, and the administrator account is irrelevant in this scenario. Service has been denied. A DoS doesn't inherently mean a denial of ALL service or denial of service to ALL accounts. Whether or not you utilize an administrator account that can be locked out is, in the end, not always relevant, because as far as denying service, you're going to hear a lot sooner from regular users who are DoS'd than you will from some admin discovering that the Administrator account got locked out for non-interactive logons. Yes, it can be problematic if every single account in your domain can be locked out, which is why you should implement policies that don't put you in the position that that happens. Maybe you copy the Administrator account and just require the built-in one to use smart card login (which you can do in Win2K3). Maybe you copy the Administrator account, require smart card login for that account and disable the Administrator account (which you can do in Win2K3). Maybe you look at account lockout policies and decide whether or not they're actually helping or hindering. I'm not espousing one approach over another; I'm just pointing out that each has its pros, cons and risks. > How (besides a > restart in DSR mode) could control be regained of the system? > Personally I'm glad Administrator can't get locked out - I'm > sure someone would have done it already. Well, if we're dealing with minutae, I've actually forced the built-in Administrator account to delete itself without leaving a tombstone or any way to recover it, so again, the lockout or not issue becomes irrelevant. I believe the mechanism that I used to cause the Administrator account to self-implode has been fixed in Win2K3 SP1, but I've not done the self-imploding-Administrator-account trick since SP1 was released and therefore can't verify this. Trust me on this, however- at least prior to SP1, I can kill your Administrator account and hose your environment regardless of whether or not you allow it to be locked out. In answer to your question, however, if you have locked out every single account in your domain and if you require manual re-enabling of locked-out accounts, you've got a problem on your hands. Again, though, if you hadn't noticed this before every account in your domain got locked out, you either have a small domain or you have terrible auditing and review processes. > > > By the way, if you copy the Administrator account, the > copied account > > *is* subject to account lockout policies. > > Which would make it subject to our rather severe 5-attempt lockout > policy, enacted as the result of a SAS70 audit for the overly curious. > With a couple sys admins and a very complex password, it > wouldn't be too > long before someone hit the limit (which is cleared once a day). I > suppose the answer will be, "It depends on your particular > situation..." > =) This is one of the reasons that I think there should be an administrative account (or two) that is severely restricted in its logon parameters, such as requiring smart card logon, allowing it logon to a specific set of machines only (you can do this with a copied Administrator account, but not with the built-in one), etc. If you're going to tweak this stuff, you want to leave yourself an out (or, as the case may be, an "in") so that you can fix what you muck up accidentally or because of the side effects of regulatory stringence or whatever. :-) I could debate this all day, but I'm even boring myself now. Laura --------------------------------------------------------------------------- ---------------------------------------------------------------------------
