|RSS | MY PROFILE | PRIVACY|
Vol. 19, #34 - August 25, 2014 - Issue #994
This week's newsletter is all about the strongly diverging opinions within the IT pro community concerning whether to use account lockout in Active Directory environments. Should you configure account lockout? Or should you avoid it like the plague? What's the best account lockout policy to use for a given environment? We'll explore these and other issues in this week's newsletter, but first here's our obligatory Dilbert comic strip on the subject:
Well, maybe only tangentially on the subject...
From time to time we'll include links to breaking news items and other information that we feel is important for IT pros who work in Windows Server environments to be aware of. Here is the first installment of this new section which we've placed near the top of our newsletter to make sure you read them!
Mary Jo Foley (ZDNet) brings us the latest on how Microsoft TechEd is evolving:
Do you work in a large enterprise that uses Border Gateway Protocol (BGP) on your perimeter routers? Better check now if you should update your router hardware or software. From ZDNet:
A colleague pointed me to this helpful cheat sheet on Microsoft Azure Web Sites. If you use Azure Web Sites or are thinking of using them, be sure to check it out:
Will Amazon AWS collapse under its own weight? Who knew a cloud could be so heavy! Something for you to think about from Wired if you're thinking about migrating your server workloads to AWS:
Got breaking news about Windows Server, Microsoft platforms, new tools, the cloud, or anything else you think our readers might be interested in hearing about? Email us at email@example.com
In Issue #992 Troubleshooting Strategies, a reader named Paul asked:
Does any reader use the 3CX Phone System? I have been unable to configure the Vipre firewall to allow 3CX software for UDP/TCP port forwarding. If anybody has succeeded doing this, I would appreciate some help.
We published one reader's response to Paul's question in last week's Issue #993 Securing Boot Volumes and since then we've received two other responses:
I haven't used the 3CX phones myself, but I have sold and supported Vipre on 150+ computers for the past 3 years. Tell Paul to try turning off the Web Filtering part of the firewall. We have learned that it sometimes blocks applications from communicating across the network for no apparent reason. It doesn't always log what its blocking either. --Tracy
I found firewall and port settings at this address:
You might also get a port mapper and run it on the system running the 3cx software to determine what ports it's actually trying to use. --John
Ask Our Readers: WServerNews has 90,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at firstname.lastname@example.org
Last week's Issue #993 Securing Boot Volumes was all about safeguarding the boot volume of your Windows servers and workstations. A reader named Mark who works in San Diego, California, USA brought up a really good point:
Re: your secure boot recommendations. Can't the BIOS always be reset by just removing the CMOS battery temporarily? I would add BitLocker to the mix. It will usually detect a BIOS change and require the BitLocker key to proceed. If you're using a self-encrypting SSD and meet all the eDrive criteria (including UEFI):
you can get BitLocker to manage hardware encryption. I blogged about my successful test here:
Great suggestion, thanks! And great blog too.
And now on to the main topic of this week's newsletter...
Whether or not you should enforce account lockout policy in an Active Directory environment and how that policy should be configured has been a contentious issue among both sysadmins and infosec professionals. The truth of the matter is that account lockout policy has some benefits for certain environments but it can also have some drawbacks, especially when configured indiscriminately without adequate forethought.
But before we examine the pros and cons of account lockout policy, one thing is certain: if you do decide to configure account lockout policy in your environment, you also need to monitor it. So right off the bat let me recommend a couple of ways you can do this.
First, check out Netwrix Account Lockout Examiner, a freeware tool that alerts on account lockouts, helps troubleshoot these events, and analyzes their potential causes. The accounts can then be unlocked via the tool's console or using a mobile device. You can download Netwrix Account Lockout Examiner tool here:
Second, take a good look at Netwrix Auditor for Active Directory, an affordable change and configuration auditing solution that delivers complete visibility into who changed what, when and where across Active Directory and Group Policy. Netwrix Auditor provides monitoring, reporting and alerting on critical changes, assessment of the system configuration at any point in time and Active Directory recovery. You can learn more about Netwrix Auditor here:
Account lockout confusion
Part of the confusion surrounding account lockout policy that surfaced recently was due to some conflicting recommendations in Microsoft's own security documentation. While the Windows Server 2008 R2 version of the Microsoft Security Compliance Manager (SCM) recommended an Account Lockout Threshold policy setting of 50 logon attempts, the initial release of the Windows Server 2012 R2 version of the SCM recommended this policy setting be lowered to 5 logon attempts.
That change triggered a heated discussion among my IT pro colleagues. In case you're not clear about it, the Account Lockout Threshold policy setting is the number of failed logon attempts that trigger account lockout. If set to 0, account lockout is disabled and accounts are never locked out. There are also two other account lockout policy settings:
The issue here is that if Account Lockout Threshold is configured too low, you may see accidental account lockouts frequently occurring. The result of course will be frustrated users and overwhelmed helpdesk personnel. Then about 18 months after the SCM for Windows Server 2012 was released, Microsoft backtracked on this setting, changing their recommendation for it from 5 failed logon attempts to 10 failed logon attempts in their SCM for Windows Server 2012 R2. You can read about their reasons for doing this in this blog post:
They also provided some additional recommendations for implementing Account Lockout Policy in a separate blog post:
Note the following point from that second post:
Proactively monitor for failed logon events and have a robust response mechanism in place when password-guessing is detected.
Hence what I said earlier about the need of having a good monitoring solution in place should you decide to implement Account Lockout Policy in your environment. Of course, enterprises not only need good monitoring solutions, they also need solutions for change and configuration management, auditing, and compliance. But that's a whole other story that we'll reserve for a future issue of this newsletter.
The argument for
The main argument for implementing any form of Account Lockout Policy is when you have a high security environment. Microsoft mentioned in the second blog post above that they consulted with "the Center for Internet Security (CIS), the US National Security Agency (NSA), the US Defense Information Systems Agency (DISA) and others" before deciding upon their Account Lockout Policy recommendations in the Windows Server 2012 SCM. Those agencies are obviously paranoid about security, and so they should be. So if your organization or company has reason to be paranoid concerning its network security, then implementing Account Lockout Policy is likely the way you should go.
The argument against
On the other hand, there are many who would argue that any form of Account Lockout Policy is an invitation for a support nightmare. The argument here is that while Account Lockout Policy can help protect your network against brute force password guessing attacks, it can open up your network to denial of service (DoS) attacks. And in the views of many security professionals, the threat from (and potential damage resulting from) such DoS attacks is much greater than from possible brute force attacks occurring.
Such professionals argue that Account Lockout Policy should simply be left Disabled in all Group Policy Objects. They also point out that the security recommendations in the SCM are only recommendations, and that each organization or company should evaluate the reasonableness and applicability of these recommendations based on the needs of their own environment.
Arguing for again
Hold on, say the proponents of implementing Account Lockout Policy! Sure, if you have any Account Lockout Policy settings configured you're going to open yourself up to DoS attacks. But disabling Account Lockout Policy entirely is dangerous unless you have some other solution in place for detecting brute force password guessing attacks. Do you have an alternative in place to guard against such attacks? No? Then you better configure some level of Account Lockout Policy until you do. Will helpdesk complain loudly concerning this? Maybe yes, but they're the helpdesk--they should just shut up and do what they're told.
Arguing against [and for] again
Wait a minute there. We use smartcards for logging on to our network. We don't use passwords. Do we still need Account Lockout Policy? Of course not.
[OK point taken, say the proponents of Account Lockout Policy.]
And us, we don't use smartcards but we do require that users use 30 character passphrases for logging on to the network. So realistically, we don't need Account Lockout Policy either and we leave it disabled.
[That's a greatttttttttttttttttttttttttt solution and I'm sure it works really well for you. /sarcasm]
Then there are those stupid applications that when they can't log on to the network they keep trying, trying, trying...until the user's account is locked out. Disabling Account Lockout Problem prevents such annoyances from happening.
[That's a workaround, not a solution. The solution is to fix the application, not disable Account Lockout Policy. What you can do is start with a high value for Account Lockout Threshold and gradually reduce it until the problem appears with a certain application. Then complain to the vendor that they need to fix their application asap.]
Yeah, as if I have time for that. What world do you live in? /sarcasm
[Just enable Account Lockout Policy and don't configure your Account Lockout Threshold too low. Around 10 or so should be good for most environments, not to many lockouts so not too much flak from helpdesk...]
Sure, and when one of my application goes bonkers, we open an incident with Microsoft Support Services and the bills start to rake up. I'd rather leave Account Lockout Disabled and keep my money, thank you very much.
[Fine with me.]
And so on...
I wish I knew the answer as to to whether it's better to configure or disable Account Lockout Policy. What do you our readers think about this? Share your thoughts, opinions, and stories with us by emailing us at email@example.com
I recently came across the following suggestion by Guillaume Ross on his BinaryFactory blog:
I highly recommend at least forcing the manual entry of a MAC address before even allowing PXE boot.
Guillaume's post was in response to an incident where a System Center Configuration Manager server accidentally wiped and reformatted a bunch of PCs and servers at a university. He goes on to say:
[I highly recommend that you also] consider SCCM servers as weapons of mass destruction.
The point here is that while automation can make the life of an IT pro easy, it can also make it hell if something goes wrong. So beware.
You can Guillaume's blog post here:
BTW Guillaume lives and works in Montreal which is my hands-down favorite Canadian city. If you like sushi, go check out Takara Japanese Restaurant next time you're in Montreal and watch master head chef Mr. Shinji Hashiguchi at work, he's amazing!
GOT TIPS you'd like to share with other readers? Email us at firstname.lastname@example.org
This week we list some must-have books on Windows deployment every IT pro should have on their bookshelf:
Deployment Fundamentals, Vol. 1: Migrating to Windows 7 using MDT 2010 Lite Touch and WDS
Deployment Fundamentals, Vol. 2: Deploying Physical and Virtual Servers Using MDT 2010 and SCVMM 2008 R2:
Deployment Fundamentals, Vol. 3: Deploying Windows 7 Using System Center Configuration Manager 2007:
Deployment Fundamentals, Vol. 4: Deploying Windows 8 and Office 2013 Using MDT 2012 Update 1:
System Center 2012 Configuration Manager SP1: Mastering the Fundamentals, 2nd Edition:
System Center 2012 R2 Configuration Manager: Mastering the Fundamentals, 3rd Edition:
Mastering System Center 2012 R2 Configuration Manager:
Two announcements from the Microsoft Virtual Academy:
August 26: Getting the Most out of Your Office 365 Trial
IT Pros who are thinking about taking a look at Office 365 but who are not sure where to begin can walk through key scenarios and get hands-on experience in this free course. Experts take you through initial sign-up for the free trial and then explore basic setup and configuration of Microsoft Exchange, Lync, and SharePoint. Finish with a complete Office 365 trial tenant. Register today!
August 27: Building Responsive UI with Bootstrap
If you want to easily create webpages that work cross-platform and that scale well to different screen sizes, join the experts on August 27, for "Building Responsive UI with Bootstrap," as they explore this popular framework that makes it easy for all skill levels to create rich UIs for users, regardless of device. Register today!
The legendary cellist Pablo Casals was asked why he continued to practice at age 90. "Because I think I'm making progress," he replied.
--Found on the Facebook page of Charles Poliquin who is recognized as one of the World's most successful strength coaches:
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at email@example.com and we’ll try to troubleshoot things from our end.
Check free lockout examiner tool that alerts on account lockouts, helps troubleshoot these events, and analyzes their potential causes.
Don’t be surprised when your servers fail. Monitor, manage & resolve with SolarWinds® Server & Application Monitor - includes support for multi-vendor environments, 150+ applications, & much more.
Free tool for real-time Hyper-V performance monitoring - Veeam Task Manager for Hyper-V is a portable performance monitoring tool that’s free. Download now.
Do It Again is a free, simple program that allows you to make your computer automatically perform a task for you, whenever you want:
The KS-BTA100 works with many 2011 JVC in-dash receivers to add functional Bluetooth capability:
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact firstname.lastname@example.org
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact email@example.com
Dropbox Expands Feature Set to Lure (Paid) Business Accounts (Data Center Knowledge)
Microsoft is now the number two in the cloud (4sysops)
Microsoft IT deploys Work Folders as an Enterprise Client Data Management Solution (Microsoft Download Center)
How to Report a Potential Vulnerability in Dell Products (Dell TechCenter Blog)
Windows Server 2012 R2 Migration (Dell TechCenter Blog)
Forgot the domain admin password? (4sysops)
Securing Your Lync Server (Part 1) (WindowSecurity.com)
Microsoft Rights Management service (RMS) whitepapers (Microsoft Download Center)
E-mail Forensics in a Corporate Exchange Environment (Part 1)
PowerShell Essentials (Part 1)
Pass-The-Hash: Protect Your Windows Computers! (Part 3)
Deep Dive into Hyper-V Network Virtualization (Part 3)
Since Microsoft Azure is notoriously difficult to manage, there are more management tools than ever before, making choosing the right tool for you increasingly complex. Find out more about your options inside and look at Microsoft’s new management tools and strategies.
VMware Horizon 6 with View has tons of new features and improvements, including an app remoting feature, two kinds of hardware graphics acceleration and much more. Unfortunately, despite its many new features, VMware Horizon 6 with View is still lacking, and has even done away with some popular capabilities. Find out more inside.
When it comes to Generation 2 virtual machines, there is no one clear answer for whether you should use it or not, but there are plenty of considerations to take into account before you decide. Start weighing some of the pros (performance improvement) against some of the cons (limited legacy system support), and see if Generation 2 is right for you, today.
Access an exclusive report that features a breakdown of recent real-world desktop virtualization projects from IT managers across various industries and company sizes by joining our new IT Solutions Advisor Community. Simply complete this brief virtual desktop project spec sheet today.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at firstname.lastname@example.org
How Japanese drivers say 'Thank You' when you do something nice for them:
A funny compilation about animals - dogs, goats, cats, parrots - making funny sounds and noises:
The story of a man who proposes a wager as an opportunity to challenge himself to create an original performance in order to win a money-can’t-buy experience:
Elvis plays 'Unchained Melody' for the first time live before the albums release at the Pershing Municipal Auditorium, Lincoln, Nebraska, June 20, 1977:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.