Alert Logic® scans, under certain conditions, may cause accounts to be locked out on the scanned host. Utilize the following information to understand best practices involving account login restrictions.
Alert Logic scanning checks for several common default credentials on a host by validating these credentials on the login server and application. These well-known default accounts and passwords are often published by the vendors, and continuing to utilize these accounts can put your organization at a higher risk for attack. Alert Logic does not attempt any brute-force or dictionary guessing, but rather by obtaining the well-known passwords as published by software vendors or vulnerability reference sources.
It is possible that an account sharing a name as one of those common credentials may become locked out as the scanner cycles through these various possibilities.
If the number of password attempts before lockout is set too low and the attempts exceed that threshold, the affected account will be locked.
Industry Best Practices
There is no industry standard for the number of password attempts before account lockout; different services and entities recommend or require a different number of attempts. You should set the lockout limit to match both your compliance mandate and the environment it is protecting. Specific recommendations include:
- The PCI DSS Prioritized Approach for requirement 3.2 dictates that you must “limit repeated access attempts by locking out the user ID after no more than six attempts.”
- Microsoft’s Windows Security Baselines recommends that a value of 10 failed attempts be passed before locking the account.
- NIST “Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management” documentation recommends that you “limit consecutive failed authentication attempts on a single account to no more than 100.”
- OWASP recommends you utilize other countermeasures than account lockout to prevent brute-force attacks, as account lockout can introduce a risk for a denial-of-service of user accounts and user disclosure.
Alert Logic Recommendations
Alert Logic recommends that you implement the following changes relevant to your environment to prevent account lockouts when scanning, while also providing additional protections against brute-force attacks:
- Rename and disable the built-in or default accounts, such as administrator, guest, root, admin, and SA on routers, firewalls, operating systems, web servers, database servers, applications, point-of-sale (POS) systems, or other components.
- Use non-standard individual or service-level accounts across the environment with non-default account names and assign appropriate privileges to those accounts.
If it is not possible to change or disable account names, Alert Logic recommends you set the number of attempts before lockout to be between six and ten attempts. This level of tolerance protects against brute-force attacks while also allowing vulnerability scans to run without issue. The threshold that you select will depend on your security and operational requirements. As with other account lockout settings, this value is more of a guideline.