ECLO-1

ECLO-1 Logon

Overview

Successive logon attempts are controlled using one or more of the following: · Access is denied after multiple unsuccessful logon attempts. · The number of access attempts in a given period is limited. · A time-delay control system is employed. If the system allows for multiple logon sessions for each user ID, the system provides a capability to control the number of logon sessions.

MAC / CONF	Impact	Subject Area
SENSITIVE	Medium	Enclave Computing Environment

Details

Threat
Without proper user account lockout policies in place, unauthorized users could continually attempt to gain system access and not be noticed by the system administrator. This implementation guide is aimed to help system administrators implement the account lock policy and a limited number of logon sessions for each user ID.

Guidance
1. The system administrator shall configure the account policy of the operating system, database, and/or application that authenticates users to access the system. For example, for Windows operating system, the User Account Lockout Policy in the User Manager can be set as follows: · Account lockout duration: 0 · Account lockout threshold: 3 bad login attempts · Reset account lockout counter after: 60 minutes 2. For the implementation of a number of logon sessions for the same user ID, a. If the system software (e.g., Novell Netware) provides the capability of restricting a number of logon sessions, the system administrator shall configure the feature to the limited number (e.g., one or two). b. If the system software does not provide the capability of restricting a number of logon sessions, the system administrator shall use an approved method (e.g., scripts) that restricts simultaneous login sessions for the same user ID. Otherwise, the system administrator shall review the audit trails regularly to monitor and detect simultaneous logons with the same user ID.

Guidance

1. The system administrator shall configure the account policy of the operating system, database, and/or application that authenticates users to access the system. For example, for Windows operating system, the User Account Lockout Policy in the User Manager can be set as follows:
  · Account lockout duration: 0
  · Account lockout threshold: 3 bad login attempts
  · Reset account lockout counter after: 60 minutes
2. For the implementation of a number of logon sessions for the same user ID,
  a. If the system software (e.g., Novell Netware) provides the capability of restricting a number of logon sessions, the system administrator shall configure the feature to the limited number (e.g., one or two).
  b. If the system software does not provide the capability of restricting a number of logon sessions, the system administrator shall use an approved method (e.g., scripts) that restricts simultaneous login sessions for the same user ID. Otherwise, the system administrator shall review the audit trails regularly to monitor and detect simultaneous logons with the same user ID.

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Windows NT Security Checklist, 10 December 2004
DISA Windows 2003 Security Checklist (draft), 10 December 2004
DISA Unix STIG, 15 September 2003
DISA Unisys STIG, 22 July 2003
DOD Database STIG, 24 July 2004
NSA Microsoft SQL Server Guides, 02 October 2003
NSA Oracle Database Server Guides, 02 October 2003
NSA Guide to Securing Windows 2000 – Policy Toolsets, Chapter 3, 05 March 2003
NSA Guide to Securing Windows XP, Chapters 2 and 4, 22 October 2004