Routing and Remote Access Service (Remote Access) - Windows Server 2003 Networking Recipes - page 179

Information Technology Reference

In-Depth Information

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\...

...RemoteAccess\Parameters\AccountLockout\

In the right pane, locate the value given by <DomainName:UserName> , which corresponds to

the locked-out user, and delete that entry.

Using VBScript

You can create (enable) a remote access lockout policy by running the following script. In this

script, we will configure the remote access server named RRAS1 to lock the account after five

failed authentication attempts, and to unlock the account after 60 minutes.

' This code configures the account lockout threshold and

' lockout duration for a remote access server

' ------ SCRIPT CONFIGURATION ------

strComputer = "RRAS1"

dMaxDenials = "5"

dLockoutDuration = "60"

' ------ END CONFIGURATION ---------

Const HKEY_LOCAL_MACHINE = &H80000002

strKeyPath = _

"SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout"

Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _

strComputer & "\root\default:StdRegProv")

dValueName = "MaxDenials"

objReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,dValueName,dMaxDenials

dValueName = "Reset Time(mins)"

dValue = dLockoutDuration

objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,dValueName,dValue

WScript.Echo "Values set"

How It Works

Configuring an account and an RRAS lockout policy is part of any solid security implementa-

tion. If your server is connected to or accessible from the Internet, you can safely assume that

it will be a target for unauthorized users, whether the targeting is specifically aimed at your

organization or whether you are instead the victim of scanning tools that automatically scan

entire subnets looking for vulnerable systems.

Whatever the case, you should decide on limits for account lockout that do not negatively

impact your business operations yet keep you reasonably secure from password-guessing

tools, disgruntled employees, and malicious hackers. For example, configuring a policy that

locks out a user after only one failed attempt would certainly seem to secure your system, yet it

would be counterproductive for your company because any user who mistypes a password

would be locked out, and would have to ask an administrator to unlock the account so that he

or she could try again, and could only then reattempt the logon (hopefully successfully) and

finally get to work.

Next Page

Windows Server 2003 Networking Recipes

Search WWH ::

Custom Search

Home