|
Helpful Hints
An account can be unlocked in one of two ways once
it has been locked out by Intruder Detection:
- An Administrator can manually unlock the account in
ConsoleOne by going to the User properties of the locked out account.
- The account will automatically unlock after the "Lock
account after detection" time period has expired.
Additional
Security Precautions
The following additional security precautions should be taken to provide the
best protection of your network and resources:
Don't disclose the details of the Intruder
Lockout configuration to anyone. Doing so could enable someone to "beat
the system" by guessing within the given parameters.
DO Rename the ADMIN account, and move
it to a location in the tree only known by administrators. Set a
filter on the container so it can not be found by snoopers. Use this
admin account only when needed, and not for daily administration.
For example, if somehow a regular administrator account
gets locked, the hidden "admin" account could then be used
to access and unlock the account. The point is that you don't
want an idiot with a bad attitude to intentionally lock out all user
accounts
and render the network crippled. You need a way to get control
back.
|
|
Rules of Thumb
You need to maintain a good balance between security,
control, and maintenance. On one hand, you need the system to be
secure. But you don't want to spend all day resetting user accounts
either. Follow these guidelines based on the needs of your company:
Intruder Lockout Attempts
Don't set the "Intruder Lockout Attempts" too low
or too high. It is common for legitimate users to mistype their passwords,
so if set too low, people will get locked out frequently and require
assistance. Also if you set it for too high, the intruder will have
more chances to guess the password.
Lock Account After Detection
Don't set the "lock account
after detection" time too high or too low. You may want
the account to unlock automatically after an hour or so. But
you might also want to require the account to be unlocked by
an administrator. If this is the case, set it for several days,
and the user will be forced to call the administrator if they
want to regain access.
Intruder Attempt Reset Interval
Don't set the "Intruder attempt reset
interval" too high or too low.
Realize that most attempts at unauthorized access
occur within
a few minutes of each other. If this setting is too
high,
over time the incorrect logins for legitimate users will
accumulate
and may lock the account for no apparent reason.
Lock Account After Detection, and Time Settings
Always enable this setting, otherwise the whole intruder detection process
is useless. Additionally, lock the account out for a time period long enough
that the intruder will go elsewhere.
|
