Security – Is account lockout a denial of service attack waiting to happen


The default behaviour of windows is to lockout an account after a number of failed authentication attempts (usually three)..

This means that with the following

net use \\targetmachine\c$ /user:targetaccount notthepassword
net use \\targetmachine\c$ /user:targetaccount notthepassword
net use \\targetmachine\c$ /user:targetaccount notthepassword

You can lock out a user and potentially even take down an entire company if none of the accounts have the "This account can never be locked out" checked.

Is this security "feature" really a denial of serice attack enabler ? And should this be disabled by default.

An organisation is particularly vunerable with this to the rogue employee scenario.

Best Answer

I wasn't aware that this is default behavior, and it is definitely a denial of service waiting to happen. Temporary lockout (or simple slow-down) is usually sufficient to fend off brute force attacks (There's a lot of discussion on this topic, I can remember a few StackOverflow questions dealing with this, more in the area of website logins though). Yes, they're also a potential denial of service, but only for the duration of the attack.

I don't agree completely with Dave Cheney, while you should be concerned with physical security, a disgruntled employee (more often an issue at larger companies than at smaller) and a borrowed (trusted hardware) login-screen is all it takes to lock down vital functions of the company, so I don't believe it to be sufficient.