OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Account lockups follow-up
From: David LeBlanc (dleblancMINDSPRING.COM)
Date: Thu Jun 08 2000 - 12:07:09 CDT

At 05:39 PM 6/7/00 -0400, Ed Warfield wrote:
>Thanks to everyone for the responses, I got over 60 and followed the
>recommended steps. I checked the security logs on each of my servers and
>found that one server had locked out all the accounts because it had
>received incorrect passwords over the maximum allowed number of 3. Each
>entry in the log referenced the same workstation ID and the attempts were 1
>to 3 seconds apart. The workstation ID belonged to a internal employee,
>this employee ran a program called ISS (as Wayne Maples had predicted)
>Thanks for all the feedback and helping me get a anwser and a culprit to
>give to my boss.

A few comments here - although I'm no longer with ISS, I wrote the code in
that section of the scanner, and know its behavior. There are also certain
best practices that ought to be followed, or you can run into much worse
problems than this.

First, ANYONE running a security scanner MUST notify ops before starting,
especially the first couple of times it is run. Occasionally, bad things
will happen to the scanned hosts, and if ops doesn't know what caused it,
the mayhem will be worse. If ops doesn't know to alert the person running
the scanner, they'll do it again next time. I can tell numerous stories
about people who have failed to do this.

Secondly, a lockout count of 3 is too low in my book - there are a number
of very benign situations that can cause a lockout at that threshold.

David LeBlanc
dleblancmindspring.com