mailing list archives
Re: Logon Failure Compliance
From: krymson () gmail com
Date: 11 Dec 2007 17:19:16 -0000
If I may ask, what is the policy statement these managers are supposed to be complying with?
Getting someone (management) to care about various technical events is maybe our hardest challenge, and part of the
balance between security and usability (or security energy vs energy spent on their actual job duties). You can track
these things, and let them know that John Doe had 7 logon failures in a row, but I would bet most people just don't
care. And you can't necessarily make them care.
1) Put your issues into a ticket tracking system. This way you'll have logged the incidents, and if they don't respond
or do anything, you'll at least CYA.
2) Force users to request support if they lock themselves out due to logon failures, by not expiring the lockouts. This
forces a ticket to be opened, pretty much, and allows you to explain the needs/causes as you or your staff unlock the
3) Keep track in your recording or tickets what account was failing and the IP/system that was trying to log into the
account. If you have DHCP in your network, as soon as possible verify the system with that IP at that moment. If I (do
or try to) log into John Doe's account from my machine, that should be a red flag, depending on your security policies.
If this happens for a few days every 60 days, this might indicate an employee is using someone else's account and
doesn't yet have the newly changed password...of course, it might just mean someone is putting in their old one!
<- snip ->
Im looking for how others monitor and follow up on domain account logon failures.
The reason being, I'd think there has to be a better way of doing it than what we currently have in place.
I have the reporting part together, but its the tracking, manager follow up, and keeping on the management when they
dont follow up that is causing problems.
I invite ideas from everyone, even software vendors out there, this is a mess!