IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
invalid log-on attempts which lead to the lockout of the account, should be set
to a figure between 3 and 10. The option "Reset count after", which specifies
the maximum number of minutes (1 to 99999) between two invalid log-on
attempts, should be set at approximately half an hour. If, for example, for
"Lockout after" the figure 5 and for " Reset count after " the figure 30 is
specified, a lockout occurs after 5 invalid log-on attempts made within a
timeslot of 29 minutes.
In general, by activating the option "Forever" it should be stipulated that
lockout remains active until an administrator cancels it. Should this place too
heavy a burden on the administrators, a suitable figure can also be specified
as "Lockout duration", so that account lockout is only maintained for a limited
period. If it is intended to investigate the causes of account lockout directly, a
sufficiently long time interval, e.g. 1,440 minutes (1 day) should be specified,
otherwise a figure of approximately 30 minutes should be chosen.
In order to avoid complete locking of the system (see S 4.55 Secure
Installation of Windows NT), it should be noted that the pre-defined
administrator account is not included in this automatic lockout..
The option "User must log on in order to change password" should not be
activated. Together with the setting "User must change password on next log
on" this would lead to new users having no access to the system.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000