70-216 - Account Lockout

Author

Account Lockout

adam salam

2003-05-06, 2:10 am

from QOD I have got this one
70216qod40
You have configured a Windows 2000 as the Remote Access Server. You have testing the connectivity from various Windows clients, like Windows 95, Windows 98 and Windows 2000. All the connections work seamlessly.
Before you announce the remote access service to users, you IT Manager would like to tighten the security by implementing account lockout. What should you do to lockout user account who fails to after three attempts?

A)Local group policy.
B)Domain security policy.
C)Registry entries.
D)Remote Access policy.

I said that is a

one and going directly to answer A: Domain security policy.

I found the answer is C : Registry entries.

with the following explanation:
----------------------------------
You can use the account lockout feature to specify how many times an remote access authentication fails against a valid user account before the user is denied access. Account lockout is especially important for remote access virtual private network (VPN) connections over the Internet. Malicious users on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the malicious user sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases.
To enable account lockout, you must set the MaxDenials value entry in the registry to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out. You set the MaxDenials value entry in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\Curr
entControlSet\Services\RemoteA
ccess\Parameters\AccountLockou
t
By default, MaxDenials is set to 0, which means that account lockout is disabled.
To modify the amount of time before the failed attempts counter is reset, you must set the ResetTime (mins) value entry in the registry to the required number of minutes. You set the ResetTime (mins) value entry in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\Curr
entControlSet\Services\RemoteA
ccess\Parameters\AccountLockou
t
By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours).
-----------------------------------
I couldn't understand that.

normally when we like to implementing account lockout we use GP through Account Lockout Policy
what do you think, what i have been messing here?

thank you

B4yaman3

2003-05-06, 7:42 am

I found that one controversial to, because editing the registry is the last resort for administrator. But like the explanation said the account lockout is for Remote Access so I guess that's why the answer is right.

adam salam

2003-05-06, 2:16 pm

quote:
Originally posted by B4yaman3
I found that one controversial to, because editing the registry is the last resort for administrator. But like the explanation said the account lockout is for Remote Access so I guess that's why the answer is right.

Even if it is a Remote access account, I didn't go through editing the registry before trying GP, yes you can edit the registry to configure any thing in windows but the best administrative efforts is to keep that as the last point.

me? I dunno...

2003-05-06, 3:30 pm

What, so there can be different lockout policies for the same account depending on whether they are trying to log on locally or via ras?

bbraunstein

2003-05-06, 5:58 pm

That's a tough one, i guess it is almost impossible to get a question like that right unless you get lucky.

Sometimes, even if you study hard and do your lab work you still may not get the all 100% right....but you will know your stuff. Ultimately, that is the most important.

In the end, the certification is just one part of the puzzle. Gotta make sure you balance it out with plenty of experience too!!!

BB

Sponsored Links