Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Why do you need to set account lockout policies?

Every day, sysadmins have the strenuous task of handling multiple tickets, many of which are raised by users who get locked out of their account when they forget or mistype their passwords one too many times. Resolving these lockouts consumes valuable company time and money, with the average cost of handling a ticket at almost $15.* It's important for organizations to thoughtfully configure their account lockout policies to help reduce the number of lockouts without compromising their network's security. Although it's not possible to prevent all lockouts, implementing these best practices can reduce their number significantly.

 

Enable the “Account lockout duration” policy

The account lockout duration depends on organization-specific information such as the user count or industry type. Setting the duration to zero will keep the account secure by locking the account until an admin unlocks it. However, this also results in excessive requests to the help desk. The recommended duration is between 30 and 60 minutes

 

Leverage the “Account lockout threshold” policy

If the account lockout threshold is set too low, accidental lockouts will be frequent. This could also make the account vulnerable to denial-of-service attacks since it's easier for the attacker to intentionally enter the wrong passwords to lock the account. On the other hand, if the threshold is set too high, the probability of a successful brute-force attack increases as the attacker has more opportunities to try and guess the credentials.  The recommended threshold is 15 to 50.

 

Configure the “Reset account lockout counter after” policy

While calculating the “reset account lockout counter after” value, organizations need to keep in mind the type and level of security threats they face, balanced with the cost of help desk calls. This value should be less than or equal to the account lockout duration. The recommended setting is anything less than 30 minutes.

These additional measures can minimize account lockouts in your enterprise.

 

Set policies based on user security level

Different combinations of the policy values should be set for users of various security levels. This is made possible by the Fine-Grained Password Policy feature in Active Directory (AD). For low security users, account lockouts can be disabled by setting the threshold to zero. For high security users, like admins and managers, account lockout duration should be set to zero, so a locked account can only be unlocked by an admin. A low account lockout threshold must be set for these users since they should remember their passwords and enter their credentials with caution.

 

Educate end users

Ninety-five percent of cybersecurity breaches are caused by human error.** Organizations can reduce this number by conducting cybersecurity awareness training regularly to educate employees on how to avoid account lockouts.

 

Monitor unusual activity

User behavior analytics (UBA) can be used to detect unusual spikes in user account lockout activity. This comes in handy when organizations have a large number of employees and it's impossible to track each user's account lockout activity. 

 

Update stale credentials

A major cause of account lockouts is the use of stale credentials by system services, scheduled tasks, or disconnected terminal sessions. Clearing out the credential manager and restarting the computer will fix most of these issues.

 

Set alerts for user lockouts

Enable notifications to get real-time alerts for high security user account lockouts, which can help unlock these accounts faster. Use third-party tools that can run scripts to instantly unlock high-priority locked out accounts. 

 

Manage multiple device logins

Mobile apps that use AD credentials (e.g. Outlook and Microsoft Exchange Server) might also use stale credentials. Users must be wary and update their credentials after two or more password changes. In Windows Server 2003 and above, if the entered password is one of the two previously set passwords, it is not counted as a bad password.

  • The average cost of handling a ticket is 
    $15.56*
    -MetricNet-
     
  • 90%
    of cyber attacks are caused by human error**
    -MetricNet-
    `
     

Try ADAudit Plus to seamlessly find and resolve locked out user accounts.

Download a 30-day free trial.

ADAudit Plus Trusted By