Alert Logic® scans, under certain conditions, may cause accounts to be locked out on the scanned host. Utilize the following information to understand best practices involving account login restrictions.
Alert Logic scanning checks for several common default credentials on a host by testing these credentials on the login server. This is done to ensure you are not using one of several bad password combinations. It is possible that an account sharing a name as one of those common credentials could become locked out as the scanner cycles through these various possibilities.
Alert Logic will attempt up to four passwords on each tested account name. If the number of password attempts before lockout is set too low and the attempts exceed that threshold, the affected account will be locked. We only test the local accounts (root or .\administrator) for known bad combinations, and if specific applications are detected, Alert Logic may attempt to log in to those with blank or common passwords.
Industry Best Practices
There is no industry standard for the number of password attempts before account lockout; different services and entities recommend or require a different number of attempts. You should set the lockout limit to match both your compliance mandate and the environment it is protecting. Specific recommendations include:
- The PCI DSS Prioritized Approach for requirement 3.2 dictates that you must “limit repeated access attempts by locking out the user ID after no more than six attempts.”
- Microsoft’s Windows Security Baselines recommends that a value of 10 failed attempts be passed before locking the account.
- NIST “Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management” documentation recommends that you “limit consecutive failed authentication attempts on a single account to no more than 100.”
- OWASP recommends you utilize other countermeasures than account lockout to prevent brute-force attacks, as account lockout can introduce a risk for a denial-of-service of user accounts and user disclosure.
Alert Logic Recommendations
Alert Logic recommends that you implement the following changes relevant to your environment to prevent account lockouts when scanning, while also providing additional protections against brute-force attacks:
- Rename the local admin account on Windows environments. Ensuring that there is no .\administrator account eliminates many common attack vectors.
- Rename the root account on Linux environments. This is often tricky, depending on what applications are installed or running, the specific version of Linux, and more, but it eliminates many common attack vectors.
- Use non-standard individual or service level accounts across the domain with non-default account names.
If it is not possible to change account names, Alert Logic recommends you set the number of attempts before lockout to six, matching the PCI standard. This level of tolerance protects against brute-force attacks while also allowing vulnerability scans to run without issue.