A No Brainer Way to Stop the Brute Force Attack

People are trying to break into your computers at the Practice.  It sucks – it could be your Janitor, an Internet hacker or even a disgruntled employee looking to take advantage of you.  Here is something simple you can do to make it much harder for them to hack in.

They’re Guessing

If someone doesn’t know a valid username and password to login to your PC, they guess.   Simple enough.    A hacker will do a brute force ‘dictionary’ hack, which is they will try every word in the dictionary as a password.  Since the hacker uses a computer to hack your computer (not a person with a dictionary in front of them), they can try 10’s of thousands of passwords in a single day.   If you have a weak password, they can usually break in pretty quickly.  This is a simplistic description of what they do, but you get the point, someone making a lot of guesses at the password.

The Defense

Stopping this kind of attack is pretty easy if you have a Windows computer network.   Microsoft has built in a series of security policies that can temporarily disable an account after 5 incorrect login attempts, and then re-enable the account after 30 minutes (you can adjust the number of attempts and reset time to your liking of course).   This simple step will thwart most people trying to guess their way in.  For the Internet hacker, it would take forever to hack in, so they move on to someone else (less protected).  For the Janitor or disgruntled employee trying to break in, they will usually freak out after the account gets locked out – now they know someone knows they are up to something and hopefully this scares them off from trying again..

Off by Default

This sounds like a great idea, but Microsoft opted to make this policy ‘optional’ – it’s off by default.   All you or your IT person needs to do is turn it on properly.

Inform your Staff

Some people suck at remembering passwords.  This security ‘feature’ can be a nuisance if you have staff that routinely fat finger passwords many times in a row.   If they incorrectly enter the password 5 times at a clinic PC, it will take 30 minutes until they can try again.

This is easy to plan for.  Make them aware that the network is fussy about incorrect attempts and what will happen.  Ask them that if they blow it 3 times they should stop and be more careful, perhaps ask someone else about the password, etc. while they have 2 tries left.  Basically stop guessing and get help.

Watch for the alarm signs

If you have an account that is getting locked out, and you don’t know why (no one fesses up to making failed login attempts) this could be a sign of a hack attempt.   Don’t Ignore It!  Ask your IT person to look at the logs and see what time the attempts were made and try and work out what happened.   It wouldn’t be the first time we discovered that someone outside the Practice was attempting to hack in using the Clinic username.

How to do it

If you are convinced and not the nerd that will be doing the work, skip down this article to the section on adding this to your IT Policy.  Now on with the nerdy bit.

Domain Networks

On a Microsoft Windows network using Active Directory domain security (like all Windows networks should) this is pretty simple (ask your IT person).

GPO Editor in Start MenuOn the Server, open the Group Policy Manager from the Administrative Tools menu.

 

 

 

SelectGPOtoEditExpand your domain and go to Group Policy Objects, then right click Default Domain Policy and select Edit.

 

 

 

 

 

AccountLockoutPolicySectionExpand Computer Configuration, Windows Settings, Security Settings, Account Policies and then click on Account Lockout Policy.  Double Click on the Account Lockout Threshold.

 

EnablingAccountLockoutThresholdCheck Define This Policy Setting and set the value to 5 invalid login attempts (or whatever you’d like).  Click OK to Apply.

 

 

 

 

 

SuggestedSettingsThis should popup a prompt to suggest enabling two other features, Account Lockout Duration and Reset Account Lockout Counter After.   Both of these are good ideas.  I usually just leave the values set to the suggested defaults (you can change if you like).

LocalPolicyAdjustedThat’s it.  Anyone trying to login to any device with a domain username and password will now be under this restriction.

Local Computer Policy

If you don’t have a full blown Windows Active Directory (ask your IT person why not) you can still enable this feature locally at each individual computer in your network.  It takes a little more effort.  You’ll need to go to each PC to do it, but it’s not hard.

The Process is nearly the same as with the Default Domain Policy described above.

LocalSecurityPolicyStartMenuStart by opening your Local Security Policy from the Administrative Tools menu on the PC.

 

 

 

LocalPolicyAdjustedExpand Account Policies and then click on Account Lockout Policy.

Enable the Account Lockout Threshold and other suggested settings as described above.

Remember, if you are doing it this way, Do EVERY Computer, don’t skip ones you don’t care about.    Often if they can hack into one computer this way, it’s fairly typical that you’ve setup your network with the same local user names and passwords on each PC, and the information they figured out on the hacked PC could allow them into all your PCs.

Make this part of your IT Policy

I have been on a crusade of sorts to help get Practices organized to take reasonable security precautions to protect their data and help with HIPAA compliance, and this topic is one of them.    In a previous post I have outlined the need for maintaining a simple IT Policy document using the example of Maple Leaf Orthodontics.

This is an easy section to add.   It merely needs to state that you want this automatic Account Lockout setup.    Annually someone should check that the policy is still setup this way and document that it was checked (I’d suggest a trial by fire, just attempt to login to one of the accounts you can do without for 30 minutes with 5 incorrect passwords and be sure it locks out, and then resets automatically after the prescribed time).

I have prepared the text for the IT Policy and you can download it here.

I have also prepared the simple annual checklist that your IT person can use to document it was done.  You can download it here.

With a little effort you can substitute your own logo and turn the checklist into a fancy PDF document that makes it easier to fill out (saving time) and to save electronically.  You can download my example here.

Conclusion

This is a simple one I recommend everyone do.  Very little cost and hassle plus there is a big upside to reducing one of the ways people break in.


Please subscribe to the blog to get a notice of when the next article is posted. Sign up to get updates by email as soon as we add them.


MME TechnicianIf you’d like a little help with your Account Lockout Settings or IT Policy and it’s implementation please consider MME, it’s what we do.   We can customize the complete document for the steps applicable to your Practice, and take care of the IT steps to implement them (we are nerds after all).  Just give us a call at 866-419-1102 or check us out online at www.mmeconsulting.com.