Friday, November 13, 2009

Make Windows remote login more secure without using a longer password: set a login lockout

This page has some useful info for making your WinXp remote desktop more secure. I wouldn't follow all the advice, but some of it is certainly useful. I'm a fan of changing the account lockout policy, in particular, since it makes it very hard to remotely connect and guess the password by trying a large dictionary of possible passwords. In short, it sets a limit on the number of failed attempts (per user), after which the account is locked for a specified amount of time (no login allowed, even if the password is right). They suggest a lockout rate of 3/3/3 (attempts/lockout time/reset failure count time), which would limit you to 1 password test a minute. This is the right idea, but for butterfingers here it could potentially lock me out, which I don't like. A better setting is 10/10/10, which would also limit the throughput to 1 guess/min, but would allow me to make up to 10 mistakes before any limit is encountered.

Note: this applies to everything, not just remote desktop. So you can use this to secure other remote login options, like SSHD (I use Cygwin's implementation).


No comments:

Email me

Name

Email *

Message *