Direct Inward Dialing: +1 408 916 9892
Every day, sysadmins have the strenuous task of handling multiple tickets, many of which are raised by users who get locked out of their account when they forget or mistype their passwords one too many times. Resolving these lockouts consumes valuable company time and money, with the average cost of handling a ticket at almost $15.* It's important for organizations to thoughtfully configure their account lockout policies to help reduce the number of lockouts without compromising their network's security. Although it's not possible to prevent all lockouts, implementing these best practices can reduce their number significantly.
The account lockout duration depends on organization-specific information such as the user count or industry type. Setting the duration to zero will keep the account secure by locking the account until an admin unlocks it. However, this also results in excessive requests to the help desk. The recommended duration is between 30 and 60 minutes
If the account lockout threshold is set too low, accidental lockouts will be frequent. This could also make the account vulnerable to denial-of-service attacks since it's easier for the attacker to intentionally enter the wrong passwords to lock the account. On the other hand, if the threshold is set too high, the probability of a successful brute-force attack increases as the attacker has more opportunities to try and guess the credentials. The recommended threshold is 15 to 50.
While calculating the “reset account lockout counter after” value, organizations need to keep in mind the type and level of security threats they face, balanced with the cost of help desk calls. This value should be less than or equal to the account lockout duration. The recommended setting is anything less than 30 minutes.
Different combinations of the policy values should be set for users of various security levels. This is made possible by the Fine-Grained Password Policy feature in Active Directory (AD). For low security users, account lockouts can be disabled by setting the threshold to zero. For high security users, like admins and managers, account lockout duration should be set to zero, so a locked account can only be unlocked by an admin. A low account lockout threshold must be set for these users since they should remember their passwords and enter their credentials with caution.
Ninety-five percent of cybersecurity breaches are caused by human error.** Organizations can reduce this number by conducting cybersecurity awareness training regularly to educate employees on how to avoid account lockouts.
User behavior analytics (UBA) can be used to detect unusual spikes in user account lockout activity. This comes in handy when organizations have a large number of employees and it's impossible to track each user's account lockout activity.
A major cause of account lockouts is the use of stale credentials by system services, scheduled tasks, or disconnected terminal sessions. Clearing out the credential manager and restarting the computer will fix most of these issues.
Enable notifications to get real-time alerts for high security user account lockouts, which can help unlock these accounts faster. Use third-party tools that can run scripts to instantly unlock high-priority locked out accounts.
Mobile apps that use AD credentials (e.g. Outlook and Microsoft Exchange Server) might also use stale credentials. Users must be wary and update their credentials after two or more password changes. In Windows Server 2003 and above, if the entered password is one of the two previously set passwords, it is not counted as a bad password.
