Configure Account Lockout Policies

by Tony Bradley [Published on 1 Dec. 2004 / Last Updated on 1 Dec. 2004]

Given enough time and potential to try multiple username and password combinations an attacker might eventually succeed in compromising the security of a server or other computer. Account lockout policies allow you to set thresholds to automatically shut down an account if too many incorrect username and password combinations are attempted in order to protect the machine.

Sometimes you, or other users of a server or workstation, have a hard time remembering the correct username and password. It may be from a simple typo while entering the information or it may be a result of having too many different usernames and passwords to remember. Whatever the reason, there are times when incorrect authentication information will be entered when someone is trying to log in. You don't need to be alarmed by a single failed attempt. You probably don't even need to be concerned about two or three attempts.

At some point though you have to figure that it is no longer an honest mistake and is either a program or individual systematically trying to guess different username or password combinations to gain unauthorized access to the machine. Windows offers a way to protect the machine from such attempts through the Account Lockout Policies. By configuring the operating system to lock the account and bar access after a certain number of failed login attempts you allow the system to proactively block such attempts.

You can open the Local Security Settings console by following the following steps:

1. Click on Start

2. Click on Control Panel

3. Click on Administrative Tools

4. Click on Local Security Policy

You can also get to the same place by typing "secpol.msc" at a command prompt. Once you have the Local Security Settings interface open you should click on Account Policies and then click on Account Lockout Policy. You will see three policies in the right pane along with the current status of each. The three policies are the Account Lockout Threshold, Reset Account Lockout Counter After and Account Lockout Duration. Here is a brief synopsis of each.

Account Lockout Threshold: The Account Lockout Threshold policy specifies the number of failed login attempts allowed before the account is locked out. If the threshold is set at 3 the account will be locked out after a user enters incorrect login information 3 times within a specified timeframe.

Reset Account Lockout Counter After: This policy defines a timeframe for counting the incorrect login attempts. If the policy is set for 1 hour and the Account Lockout Threshold is set for 3 attempts a user can enter the incorrect login information 3 times within 1 hour. If they enter the incorrect information twice, but get it correct the third time the counter will reset after 1 hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at 1.

Account Lockout Duration: The Account Lockout Duration policy allows you to specify a timeframe after which the account will automatically unlock and resume normal operation. If you specify 0 the account will be locked out indefinitely until an administrator manually unlocks it.

Again, users may at times enter incorrect information for innocent reasons such as a typo or simply forgetting what the password is. For a typical server or workstation you don't want to configure the policy settings so tight that users are locked out frequently for honest mistakes. For most computers I would recommend using settings within the following parameters:

Account Lockout Threshold: A number between 3 and 5 should suffice to account for honest mistakes and typographical errors.

Reset Account Lockout Counter After: Using a timeframe between 30 and 60 minutes is sufficient to deter automated attacks as well as manual attempts by an attacker to guess a password.

Account Lockout Duration: Once the threshold is triggered and the account is locked out you want to leave it locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. A lockout duration of 1 hour to 90 minutes should work well.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Featured Links