ECLO-2

ECLO-2 Logon

Overview

Successive logon attempts are controlled using one or more of the following: · Access is denied after multiple unsuccessful logon attempts. · The number of access attempts in a given period is limited. · A time-delay control system is employed. If the system allows for multiple logon sessions for each user ID, the system provides a capability to control the number of logon sessions. Upon successful logon, the user is notified of the date and time of the user's last logon, the location of the user at last logon, and the number of unsuccessful logon attempts using this user ID since the last successful logon.

MAC / CONF	Impact	Subject Area
CLASSIFIED	Medium	Enclave Computing Environment

Details

Threat
Without proper user account lockout policies in place, unauthorized users could continually attempt to gain system access and not be noticed by the system administrator. Allowing a number of logon sessions for each user ID would result in unauthorized access to the system. In addition, without proper notification displayed on the monitor upon successful logon, users would not detect unauthorized access to system files and data. This implementation guide is aimed to help system administrators implement the account lock policy, a limited number of logon sessions for each user ID, and the notification of the last successful logon.

Threat

Without proper user account lockout policies in place, unauthorized users could continually attempt to gain system access and not be noticed by the system administrator. Allowing a number of logon sessions for each user ID would result in unauthorized access to the system. In addition, without proper notification displayed on the monitor upon successful logon, users would not detect unauthorized access to system files and data. This implementation guide is aimed to help system administrators implement the account lock policy, a limited number of logon sessions for each user ID, and the notification of the last successful logon.

Guidance
1. The system administrator shall configure the account policy of the operating system, database, and/or application that authenticate users prior to system access. For example, for the Windows operating system, the User Account Lockout Policy in the User Manager can be set as follows: · Account lockout duration: 0 · Account lockout threshold: 3 bad login attempts · Reset account lockout counter after: 60 minutes 2. For the number of logon sessions for the same user ID, a. If the system software (e.g., Novell Netware) provides the capability of restricting a number of logon sessions, the system administrator shall configure the feature to the limited number (e.g., one or two). b. If the system software does not provide the capability of restricting a number of logon sessions, the system administrator shall identify an approve method (e.g., scripts) that restricts simultaneous login sessions for the same user ID. Otherwise, the system administrator shall review the audit trails regularly to monitor and detect simultaneous logons with the same user ID. 3. For displaying information on the last logon, a. If the application provides the capability, the system/application administrator shall enable the capability so that the information on the last logon is displayed upon successful logon. b. If the application does not provide a capability of displaying information on the last logon, the system administrator shall use an approved script to notify users of the following upon successful logon: · Date and time of the user's last logon · Location of the user at last logon · Number of unsuccessful logon attempts using this user ID since the last successful logon.

Guidance

1. The system administrator shall configure the account policy of the operating system, database, and/or application that authenticate users prior to system access. For example, for the Windows operating system, the User Account Lockout Policy in the User Manager can be set as follows:
  · Account lockout duration: 0
  · Account lockout threshold: 3 bad login attempts
  · Reset account lockout counter after: 60 minutes
2. For the number of logon sessions for the same user ID,
  a. If the system software (e.g., Novell Netware) provides the capability of restricting a number of logon sessions, the system administrator shall configure the feature to the limited number (e.g., one or two).
  b. If the system software does not provide the capability of restricting a number of logon sessions, the system administrator shall identify an approve method (e.g., scripts) that restricts simultaneous login sessions for the same user ID. Otherwise, the system administrator shall review the audit trails regularly to monitor and detect simultaneous logons with the same user ID.
3. For displaying information on the last logon,
  a. If the application provides the capability, the system/application administrator shall enable the capability so that the information on the last logon is displayed upon successful logon.
  b. If the application does not provide a capability of displaying information on the last logon, the system administrator shall use an approved script to notify users of the following upon successful logon:
     · Date and time of the user's last logon
     · Location of the user at last logon
     · Number of unsuccessful logon attempts using this user ID since the last successful logon.

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Windows NT Security Checklist, 10 December 2004
DISA Windows 2003 Security Checklist (draft), 10 December 2004
DISA Unix STIG, 15 September 2003
DISA Unisys STIG, 22 July 2003
DOD Database STIG, 24 July 2004
NSA Microsoft SQL Server Guides, 2 October 2003
NSA Oracle Database Server Guides, 2 October 2003
NSA Guide to Securing Windows 2000 – Policy Toolsets, Chapter 3, 05 March 2003
NSA Guide to Securing Windows XP, Chapters 2 and 4, 22 October 2004