WinSecWiki > Security Settings > Account Policies > Lockout Policy
Account lockout is a useful method for slowing down online password-guessing attacks as well as to compensate for weak password policies. These three policies work together to limit the number of consecutive, within a period of time, logon attempts that fail due to a bad password.
To strengthen account lockout policy, increase Account lockout duration, decrease Account lockout threshold and increase Reset account lockout counter after. Making these policies too strict though can lead to premature account lockouts and increased helpdesk support calls.
Policy Scope
All of the settings in this section apply either to domain accounts in Active Directory or local accounts on member servers. See the article "Account Policies Explained" at the upper level. Also see the article "Fine Grained Password and Lockout Policy".
Policies
- Account lockout duration
- Account lockout threshold
- Reset account lockout counter after
Example policies
The following policy is too weak; it would only trigger lockouts for very brazen password guessing attacks.
- Account lockout duration: 5 minutes
- Account lockout threshold: 15 invalid logon attempts
- Reset account lockout after: 5 minutes
The following policy will limit an attacker to 10 consecutive logon attempts during any 24 hour period and require an administrator to unlock the account:
- Account lockout duration: 1440 minutes
- Account lockout threshold: 10 invalid logon attempts
- Reset account lockout after: 0 minutes
Troubleshooting
Administrators frequently struggle with repeated unexplained and seemingly spontaneous account lockouts for a given user account. This is frequently due to a workstation where a user account remains logged on after that account’s password been changed elsewhere. But there are many other possible reasons including stored credentials, programs that cache credentials, scheduled tasks, services, persistent track mappings, Active Directory replication problems and disconnected Terminal Services sessions.
Microsoft has produced a number of resources to help diagnose this problem.
- Account Passwords and Policies in Windows Server 2003 – see sections on account lockout
- Account Lockout and Management Tools
- Account Lockout Best Practices White Paper
Remember that, for domain accounts, Active Directory enforces just one account lockout policy for all domain user accounts in the entire domain. This policy is defined in the Default Domain Policy GPO linked to the root of the command. See upper level for more information.
Child articles:
- Account lockout duration
- Account lockout threshold
- Reset account lockout counter after
Back to top
//workbench.cisecurity.org/files/3476Information
This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0.
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2)
must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy
and most easily configured using Active Directory Administrative Center.
Rationale:
Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out
accounts.
Impact:
If this policy setting is enabled, a locked-out account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setting may generate additional help desk calls.
If you enforce this setting an attacker could cause a denial of service condition by deliberately generating failed
logons for multiple user, therefore you should also configure the Account Lockout Duration to a relatively low value.
If you configure the Account Lockout Threshold to 0, there is a possibility that an attacker's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.Solution
To establish the recommended configuration via GP, set the following UI
path to 5 or fewer invalid login attempt(s), but not 0:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
Default Value:
0 failed logon attempts.See Also