AccountLockoutCounterResetEnabled attribute clarification

AMI_Mani
Tuna

AMI

Posts: 178

AccountLockoutCounterResetEnabled attribute clarification Mar 5, 2020 18:12:49 GMT

Quote

Post by AMI_Mani on Mar 5, 2020 18:12:49 GMT

Hi,
As per schema AccountLockoutCounterResetEnabled is defined as below

"AccountLockoutCounterResetEnabled": {
"description": "The value indicates whether the threshold counter will be reset after AccountLockoutCounterResetAfter expires.",
"longDescription": "This property shall indicate whether the threshold counter will be reset after the AccountLockoutCounterResetAfter has expired. Setting the value to false shall indicate that only a successful login will reset the threshold counter. In addition, if the user reaches the limit specified in AccountLockoutThreshold, the account shall be locked out indefinitely and only a reset by administrator will clear the threshold counter. If this property is absent the value shall be assumed to be true.",
"readonly": false,
"type": "boolean",
"versionAdded": "v1_5_0"
}
Assume use case like only one Administrator account is there and no other additional account/external authentication mechanism available, User patching AccountLockoutCounterResetEnabled to false, then he used wrong password for five times(AccountLockoutThreshold limit is 5) and Account will get locked.
In this case there is no other account available to reset. Since this is user initiated operation, do we need to block changing AccountLockoutCounterResetEnabled when there is only one administrator account (user can create two users and set AccountLockoutCounterResetEnabled to false for administrator, then delete one account) or allow invalid login attempts without locking(This can create a attack to try different password)

Can we get more details about using AccountLockoutCounterResetEnabled in these types of situation. Also as per manager Account xml(ManagerAccount_v1.xml), we need to allow delete any account.

<Annotation Term="Capabilities.DeleteRestrictions">
<Record>
<PropertyValue Property="Deletable" Bool="true"/>
<Annotation Term="OData.Description" String="Manager Accounts are removed with a Delete operation."/>
</Record>
</Annotation

so in this case we can't block user to delete default account. Do we have any fixed user concepts to avoid these type of situations?

Thanks,
Mani

Last Edit: Mar 10, 2020 13:25:39 GMT by AMI_Mani

AMI_shirleyh
Guppy

Posts: 54

AccountLockoutCounterResetEnabled attribute clarification Apr 20, 2021 7:40:21 GMT

Quote

Post by AMI_shirleyh on Apr 20, 2021 7:40:21 GMT

Hi Jeff,

I guess somehow this question has been missed by you for answer. Again we are facing issues with situations as mentioned above.

"AccountLockoutCounterResetEnabled" :
" In addition, if the user reaches the limit specified in AccountLockoutThreshold, the account shall be locked out indefinitely and only a reset by administrator will clear the threshold counter."

Do you mean administrator account or Valid Login Credentials of an Administrator account ? Also what if all the Administrator accounts are deleted except this ?

So for now we are restricting to allow this to make it false if no other Administrator Account Exists.

Let me know if you have any other better suggestions.

Thanks.

mraineri
Administrator

Posts: 1,132

AccountLockoutCounterResetEnabled attribute clarification Apr 20, 2021 12:48:21 GMT

Quote

Post by mraineri on Apr 20, 2021 12:48:21 GMT

Saying it a bit differently, any user with sufficient privilege to PATCH the ManagerAccount resource would be able to modify the "Locked" property to set it back to false.

However, the corner cases of locking out your only account or deleting all administrator accounts are interesting and need to be discussed further. I suspect we'll need to make recommendations in the specification in this area.

AMI_shirleyh
Guppy

Posts: 54

AccountLockoutCounterResetEnabled attribute clarification Apr 20, 2021 15:20:47 GMT

Quote

Post by AMI_shirleyh on Apr 20, 2021 15:20:47 GMT

Thanks for your reply.

To add on to it, we got another scenario in which many accounts with Administrator exists, but different Users try to hack with invalid passwords for all accounts to reach the Threshold Limit and lock indefinitely. This is a deadlock. No one can access Redfish Service and perform any operations though the actual Administrator tries with correct username and password.

Till now I'm not able to think of any scenario in which we might need to lock indefinitely or false is required.

Also another point to be noted is "AccountLockoutCounterResetEnabled" attribute is common for all accounts.

I know it's a tough game to come up with a solution to satisfy all scenarios.

All the best !!

AMI_Mani
Tuna

AMI

Posts: 178

AccountLockoutCounterResetEnabled attribute clarification Apr 20, 2021 18:31:44 GMT

Quote

Post by AMI_Mani on Apr 20, 2021 18:31:44 GMT

Assume service has five administrator accounts and attacker can try with correct username for all 5 accounts with invalid password and AccountLockoutCounterResetEnabled attribute is false, in this case all account will be locked indefinitely. There is no way to communicate with correct password also since all administrator account get locked indefinitely
To avoid this situation, can we allow a successful login will reset the threshold counter even reaches the limit specified in AccountLockoutThreshold or needs some other attribute with some limit to come out of this situation

Thanks,
Mani

Last Edit: Apr 20, 2021 18:32:09 GMT by AMI_Mani