Big server land versus Little Server Land

On January 31, 2005, in Rants, by

There is one thing that both Dr. Jesper Johansson and Steve Riley say in a lot of presentations…they say that “Account lockout has no value”, that it will “cause a denial of service”.  And this is ONE area that I timidly disagree and say… sirs?  I think we can handle this.



  • Big server land knows that account lockouts cost $70 a help desk call.
  • Little server land says “it doesn’t happen that much and we can handle it

 



  • Big server land says “this is the number one PSS support call“
  • Little server land says… “how we set up DNS is OUR number one support issue

 



  • Big server land says that someone could do a denial of service against our website.
  • Little server land says …”uh…we recommend you don’t host a website if you want to be nice and paranoid

 



  • Big server land says it adds no additional security.
  • Little server land says …”that may be for you, but it lets us sleep better at night




I think we can handle account lockout.  What do you think?

 

4 Responses to Big server land versus Little Server Land

  1. Tristank says:

    My $0.02 – I think the real crux of the suggestions was that a better password gives you more security than an "account lockout" protected worse password.

    Even in Small Server land, if you get someone hooking up a laptop to your network (or worse, just roaming within range of your unprotected access point) and the laptop has Gaobot or Agobot or whatever other malware that tries a password attack, you’ll quickly find accounts locked out (check out the description of what they do here:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAGOBOT%2EGEN&VSect=T

    )…

    Maybe the cost of undoing a lockout isn’t so great, but a good password policy (strong passwords, reasonable rotation schedule) trumps the protection afforded by lockouts, for my money.

    (Maybe add WPA-PSK (or even WEP) to avoid the casual wireless network walk-in problem)

  2. Tony Su says:

    Hello Susan (and Tristank),

    I think there’s a bit of misunderstanding what Dr J and Steve were referring to.

    I believe that that the DoS they are talking about is when the machine takes itself and <all> its functionality offline for a period of time, not just a specific account.

    So, from their perspective the lesser of evils is to avoid a DoS since it could be a severe incident and this could have a severe impact on both large and small networks.

    Beyond that, I would agree with you but for different reasons… IMO the downside of experiencing a DoS is hardly comparable to risking Security Compromise. A DoS would be hard to ignore and if it happens, you should be fixing the source of the DoS, not permitting a cracking attack to continue.

    Naturally, there are exceptions to what I opine, ie. If the network is critically important to systems and people so that you absolutely need at least 5 nines QoS.

    I also missed any reference they may have made to a website but if they did I also don’t think they were likely talking about web servers and related services specifically, they would probably have been making a point about <any> perimeter servers.

    BTW Tristank… Be aware that WEP is thoroughly busted regarding security and WPA-PSK is under a cloud (Since the key never changes and is used for <all> validated sessions, it’s thought to be easily decoded). Implement 802.1x with RADIUS for security currently thought to be unbreakable. Some implementations will even change certificates/encoding every few minutes while you’re connected.

    Tony

  3. Tony Su says:

    Hello Susan,

    I got to thinking that I could be wrong and not yourself regarding the Account Lockout policy so I did some testing and researching…

    And, my face is red.

    My concept of a "Machine Lockout" rather than an "Account Lockout" is wrong.

    But, it still doesn’t change my opinion about whether a DoS should be avoided in favor of permitting unrestricted cracking…

    Tony

  4. Tristank says:

    Tony – I was covering methods of preventing "accidental" lockouts by having an unsecured access point and an infected client simply roaming within range.

    If you have a crappy password (even a 5 character one) as your WEP key, it’s still better than allowing anyone walking past onto the network without even guessing at it!

    If your threat scenario is a dedicated attacker trying to hit the network, the response (and the time you invest in setting up WPA w/ RADIUS and Cert Services) is different.