| VID |
28338 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Account Lockout Threshold is not set, or greater than the value defined in the security policy. This setting may allow an attacker to successfully attempt a brute force attack on any account. The account lockout threshold defines how many invalid logon attempts can be made before the account is locked for a period of time. The lockout period should not be too long, or an attacker can use the lockout period in a denial of service attack.
A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. The setting is not enabled by default. Password protected screen saver attempts do not count, as you are not really logging on.
* References:
http://www.securityfocus.com/infocus/1297
http://www.microsoft.com/technet/security/topics/issues/W2kCCSCG/W2kSCGce.asp
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/25000.asp
* Platforms Affected:
Windows Any version |
| Recommendation |
Set the Lockout After n Bad Logins value so that it equals or is less than the value in the current policy. To change the Account Lockout Threshold value:
For Windows NT:
1. Open User Manager. (From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.)
2. From the Policies menu, select Account to display the Account Policy dialog box.
3. Enable Account Lockout.
4. Set the Lockout After n bad logon attempts to a value that is less than or equal to the value in the current policy.
5. Click OK.
For a Windows 2000 domain:
1. Start Microsoft Management Console (mmc). From the Windows Start menu, select Run, type mmc, and click OK.
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Account Policies, Account Lockout Policy
6. Set the Account Lockout Threshold to desired value according to your administration policy.
For a stand-alone Windows 2000 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Account Policies, Account Lockout Policy
3. Set the Account Lockout Threshold to desired value according to your administration policy.
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Account Policies, Account Lockout Policy
3. Set the Account Lockout Threshold to desired value according to your administration policy. |
| Related URL |
CVE-1999-0582 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
68 (ISS) |
|
