Bruce McLeod's questions -server

Bruce McLeod

Asked: 2009-05-12 22:16:33 +0800 CST

Is account lockout a denial of service attack waiting to happen?

The default behaviour of windows is to lockout an account after a number of failed authentication attempts (usually three)..

This means that with the following

net use \\targetmachine\c$ /user:targetaccount notthepassword
net use \\targetmachine\c$ /user:targetaccount notthepassword
net use \\targetmachine\c$ /user:targetaccount notthepassword

You can lock out a user and potentially even take down an entire company if none of the accounts have the "This account can never be locked out" checked.

Is this security "feature" really a denial of serice attack enabler ? And should this be disabled by default.

An organisation is particularly vunerable with this to the rogue employee scenario.

Is account lockout a denial of service attack waiting to happen?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?