When designing the account lockout policy, follow these CCNA certification(http://certtopper) guidelines:Set account lockout duration to a few
minutes. This does prevent casual attacks, and
if auditing is set and properly reviewed, it can warn that an attack is underway. It also avoids the load on administrator time and the lost user
productivity if users who lock out of their accounts must wait for them to be reset by someone else.
Consider whether you have enough staff to attend to manually resetting accounts.Set account lockout threshold high. If users make a few mistakes, they will
not be locked. A good number is 25 because it's probably way beyond any number of
attempts a valid user will make before asking for his password to be reset. However, it will stop an intruder, who will need many more attempts than that.
Alternatives to Password-Based Authentication Because password-based authentication is subject to many human weaknesses, you must be aware of and ready to
recommend alternatives to password authentication. Many alternatives exist that provide the opportunity to require two factors: something the user must
possess and something the user must know. Alternatives consist of:Smart cards—Smart card support is built into Windows Server 2003- It replaces the
use of passwords with a plastic card and a personal identification number (PIN) and requires the implementation of certificate services. Smart card usage can
be configured to require logoff when removed—thus preventing it from being shared—and if users need the card elsewhere, they can ensure logoff when users
leave their computers. Smart cards can be used in remote scenarios as well. Smart cards can also provide the solution for when specific groups require
stronger authentication—smartcards can be used by administrators, while ordinary users continue to Microsoft exam(http://upcert) use passwords.
Biometrics—Biometric authentication systems use some part of the human body to prove that the individual requesting access is who he or she claims to be.
Facial or voice recognition, keyboard stroke analysis, fingerprints, retinal scans, hand geometry, and more are being successfully used.Tokens—RSA tokens,
which provide a changing number synchronized with a server, provide a solid alternative to passwords. Other token systems, store certificates on small
universal serial bus (USB) connectable devices.Alternatives to passwords can be used to strengthen authentication practices, but their cost must be weighed
against their benefits.
Practice: Designing a Strong Password and Account Policy
In this practice, you will design a strong password and account policy. Read the following scenario and then answer the question that follows. If you are
unable to answer the question, review the lesson materials and try the question again. You can find the answer to the question in the "Questions and Answers"
section at the end of this chapter.
Scenario
You are a security designer for Wingtip Toys. The company plans to implement a sep¬arate Windows Server 2003 domain for use by the research department. The
only indi¬viduals who will have access to resources in the domain are:
25 toy designers
35 research department support staff employees
members of the Enterprise Admins group
All computers in the research domain are either Windows Server 2003 or MCITP Enterprise Administrator(http://certtopper). It is crucial that the
information in the research domain be kept confidential.