Also, applications, particularly those that use saved passwords, are often unaware of a password change and continue to use the old password, sometimes automatically retrying the same password many times in a short amount of time. Not every bad logon attempt reflects an attempt to gain unauthorized access. While account lockout can help prevent intrusion, it can also expose your organization to accidental lockouts as well as to denial of service attacks. The counter is also reset after a successful logon. Reset account lockout counter after : the number of minutes after a failed logon attempt before the bad-logon counter is reset to 0. If set to 0, the account remains locked out until an administrator explicitly unlocks it. If set to 0, account lockout is disabled and accounts are never locked out.Īccount lockout duration : the number of minutes that an account remains locked out before it’s automatically unlocked. Windows account lockout can be configured with these three settings:Īccount lockout threshold : the number of failed logon attempts that trigger account lockout. When account lockout is configured, Windows locks the account after a certain number of failed logon attempts, and blocks further logon attempts even if the correct password is supplied. If account lockout is not configured, an attacker can automate an attempt to log on with different user accounts, trying common passwords as well as every possible combination of eight or fewer characters in a very short amount of time, until one finally works. The purpose of account lockout is to make it harder for password-guessing attacks to succeed. Again, though, this is one where you should take a close look at the threats and tradeoffs for your own environment before applying the settings we picked. We had to pick something for the baseline, so we discuss the settings we selected and why we changed them from what we had selected for other recent baselines. This blog post tries to help by discussing the issues and tradeoffs of enabling account lockout and how tightly to enforce it. Ultimately, each organization must determine what best meets their own needs. For account lockout, however, there is no “one size fits all” setting, but there’s a lot of heated discussion whenever anyone tries to pick one. For example, the “Debug programs” privilege should be granted to Administrators and to no one else. We can recommend an ideal configuration for most of the settings in our security guidance. First published on TechNet on Aug 13, 2014
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |