Security Templates.. oversite (?)


Recommended Posts

Jon

Hi,

Whilst churning through group policy looking at RUP stuff, I decided to look at the default security templates in a little more depth.

This one setting concerned me..

In the template HISECDC (meaning 'High Security Domain Controller) > account policies > account lock out policies

This has no lock out duration set by default.

Unless there is another setting which works along side this, that I've not seen, such as 'On failed login delete user' (drastic, but makes my point!) , surely this is bad!

*The following are untested assumptions*

If a malicious user starts running through a list of passwords , they will simply be blocked for '0' seconds.

Which is slightly pointless.

I've probably missed something, as I've not really looked at the problem in any depth.

Can any one explain why, on a supposedly High Security template, this isn't set? (I'm happy to be wrong, just curious!)

(Or is it simple because they assume no one has physical access to the DC, surely thats a foolish assumption).

Jon

Link to post
Share on other sites
Jon

Jeez I was asleep yesturday, first 5 posts in a row because I'm forgetting to add points, and I just realised I've posted a win2k question in the winXP bit.

My bad, sorry!

Jon

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.