Account lockout duration

A brief look at configuring Account Lockout Policy setting

An Account lockout duration policy setting determines the number of minutes that a locked-out account stays locked before automatically unlocking. You can set the duration range between 1 and 99,999 minutes. An Account lockout duration can also possess a '0' value which indicates that the account will be locked out until an administrator intervenes to unlock it.

If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter. Account lockout duration policy can only be defined after you've defined the Account lockout threshold policy.

Lockout Duration Policy values

The Account lockout threshold value can range between a user defined range expressed in number of minutes from 0 through 99,999. It can also be left undefined.

When the number of failed attempts crosses the configured values of Account lockout threshold the account will be locked out. An Account lockout duration value of '0', the account will remain locked until an administrator manually unlocks it.

The Account lockout duration across to Microsoft recommendations should be configured to approximately 15 minutes. To ensure that account will never be locked out, set the Account lockout threshold value to 0.

Security aspects of Account Lockout policy:

You can identify an attacker's attempts to login to the computer when there arenumerous failed attempts to login using brute force.

You can leverage Windows systems to keep track of logon attempts, and then configure the operating system to disable the account for a preset period after the number of failed attempts crosses a threshold value. Account lockout policy settings are responsible for what action to take, after the threshold is crossed.

Loopholes:

One of the loopholes an IT administrator might encounter with regard to this policy attacker abuses the Account lockout threshold policy setting and make repeated attempts to log on with a specific account which is consequentially a DoS attack.

Counteractions

Configure the Account lockout duration policy setting to an appropriate value for your environment. For better security against brute force attacks configure Account lockout threshold policy setting along with the Account Lockout policy to make automated password guessing attempts more difficult.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

• Authorized and unauthorized AD management changes
• User logons, logoffs, and account lockouts
• GPO changes
• Group attribute and membership changes
• OU changes
• Privileged access and permission changes
• Azure AD logons, and changes to roles, groups, and applications
• PowerShell scripts and modules

among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.