HPE Community
Operating System - HP-UX
1821416 Members
2682 Online
109633 Solutions
New Discussion юеВ

users don't want to the account locked after unssucessful attempts

 
SOLVED
Go to solution
Hanry Zhou
Super Advisor

тАО10-06-2008 06:06 AM

тАО10-06-2008 06:06 AM

users don't want to the account locked after unssucessful attempts

We have an application account on one of servers which will get audited regularly.

Because they need to run some jobs by using this account, we have removed the password aging, and other policies from this account. The only restriction is that the account will get locked if unssuccessful login attpems reaches 10 times (used to be 3 times). It got locked again last week, because the maximum has been reached.

Now they are asking this restriction should be removed as well.

I don't feel this is right, because this is the least resposibility they should take. From security point of view, it is not right to remove such policy.

How and what I should respond to their request?

Thanks for your input.
none
0 Kudos
Reply
9 REPLIES 9
Ganesan R
Honored Contributor

тАО10-06-2008 06:24 AM

тАО10-06-2008 06:24 AM

Re: users don't want to the account locked after unssucessful attempts

Hi,

If the account is only used by some jobs/apps then no way the account get locked since you already disabled password aging and other policies.

>>>It got locked again last week, because the maximum has been reached.<<<<

if the unsuccessful login is 10 times continously, then the account will get locked. Not because of total attempts.

In some places, when you change the password, the same has to updated on applications also. If not updated on application then account get locked since the application will try with old password only. It may happen in some cases.

If the account is used by only jobs/apps then we can set this value to unlimited.
Best wishes,

Ganesh.
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО10-06-2008 06:30 AM

тАО10-06-2008 06:30 AM

Solution

Re: users don't want to the account locked after unssucessful attempts

Do you have security policies or an information security team?

In these situations if I was concerned about removing security features, I'd raise it through my management. If they still want to go ahead we'd create a security policy exception statement and get those that requested it to sign the exception.

Then when the audit team come along you show them the exception and they go crucify the users, not you.

A bit slopey shouldered but its amazing how many of these requests go away when you ask someone to sign an audit exception document - suddenly they can live with the grief of the odd password reset

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
TTr
Honored Contributor

тАО10-06-2008 06:30 AM

тАО10-06-2008 06:30 AM

Re: users don't want to the account locked after unssucessful attempts

Do you have an IT security in your company? They should make the decision on this. You should present your case and explain in great detail what you have changed so far and what else you are being asked to change. If you don't have an IT security department, you should let management decide on this, your manager and the applicatiojn/user manager. if all else fails, you should write a memo to your manager and state that this is very insecure and let him make the decision. if these users can not login in 10 tries, they should not be allowed to touch the keybord.
Reply
Rita C Workman
Honored Contributor

тАО10-06-2008 06:47 AM

тАО10-06-2008 06:47 AM

Re: users don't want to the account locked after unssucessful attempts

Let me see, this applications gets audited regularly. Good. Audits (real ones) tend to include security for the application. Login failures are the front line to protect the data sitting behind that application.
So.....here you go for your question.

How and what I should respond to their request?

>>>>NO

>>>>No, what part of No don't you understand.

>>>>Yes sir - I said No. If you as my manager/director wish to counter that security measure, please put it in an email & I will be happy to comply with that & relinquish the reposibility of security for that system.

Cause that is what part of the job of being the Administrator includes. Standing up for what you know is the right thing. Let mgmt over-rule you to cover your behind.

Just my 2 cents,
Rgrds,
Rita

Reply
Hanry Zhou
Super Advisor

тАО10-06-2008 07:26 AM

тАО10-06-2008 07:26 AM

Re: users don't want to the account locked after unssucessful attempts

Unfortunately, I will have to play Admin. and Mangement role, as well as Security guard, although I am just an admin only.

I bet the mamagement would finally do whatever they ask for. But, I just don't feel that is right thing to do, because this is the least they should do, and we all should do something together to make the server secure. We don't have security team.

So, I need to write the email to them as Unix admin, management, as well as security team....
none
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО10-06-2008 07:34 AM

тАО10-06-2008 07:34 AM

Re: users don't want to the account locked after unssucessful attempts

As usual when someone asks how to disable
some valuable piece of the security
apparatus, it would be nice to know the name
of the company involved, so we'd know with
whom _not_ to do business.

Unlimited password guessing with no warning?
Brilliant.
Reply
OldSchool
Honored Contributor

тАО10-06-2008 08:36 AM

тАО10-06-2008 08:36 AM

Re: users don't want to the account locked after unssucessful attempts

"users" don't get to set security policies...ever.

Part of the issue is going to be what regulations (if any) are you subject to and who is doing the audits.

As noted before:
Standards should be documented.
Any deviations from the standards need to be documented as well

If your management says to proceed, then ask for it in writing. also consider something like a restricted shell environment, or a menu only system for the account. Its not bullet proof, but better than nothing.
Reply
Rita C Workman
Honored Contributor

тАО10-06-2008 08:44 AM

тАО10-06-2008 08:44 AM

Re: users don't want to the account locked after unssucessful attempts

Hanry,

Nobody plays Admin, you are or you are not. So......tighten your belt, straighten your tie, or whatever makes you pull it together and make the decision.

If you are the Admin, then make the rule. If you are countered by someone higher (get it in writing). But until then............do the job.

Sorry if that sounded too "tuff", but it can be a tough job. Remember one thing, if some sort of security breach happens because all the security is ignored/off - guess who gets the blame for letting it happen!....Y-O-U. Guess who's job will be held responsible...Y-O-U-R-S.

Just my 2 cents,
Rgrds,
Rita



Reply
Hanry Zhou
Super Advisor

тАО10-08-2008 07:27 AM

тАО10-08-2008 07:27 AM

Re: users don't want to the account locked after unssucessful attempts

I have stated reasons why the account should not be exempted by this restriction, and they accepted.

Thanks all for excellent inputs!
none
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.