What is Windows Account lockout threshold?

Windows Account lockout threshold is a built-in security policy for Windows which will allow you to determine when the user account should be locked out. Account lockout threshold allows you to set the number of failed logon attempts after which the user account should be locked out. The user will not be able to attempt log-in further until the account is unlocked by the administrator or until the lockout duration for the account has elapsed. By default, the value is set to 0. If you leave it at that, the account will never be locked out no matter how many logon attempts are failed. However, you can configure the value between 0 and 999 failed logon attempts. For example, if you set the value to 5, the account will not be locked out until the 5th invalid logon attempt. This can be configured from the local security policy of the computer if it's not restricted by the network admin or in the Group Policy Management Console by the network administrator.

How does Account lockout threshold helps curb security threats?

To protect your computer from unauthorized use, Windows 10/8/7 provides a facility to protect it using Account lockout threshold. A malicious threat actor may try to guess your Windows account password using a trial and error method, known as the Brute Force attack. To prevent him from succeeding in his attempts, you can use Account lockout threshold to restrict the number of invalid logon attempts, which when exceeded would trigger account lockout for the specified the account lockout duration.

Account lockout threshold best practices and recommendations:

Though the minimum value for Account lockout threshold might prevent Brute force attacks, it could also lead to increased help desk tickets since users might accidentally lock themselves out of their accounts while attempting log-ins beyond the threshold limit. So in order to strike a balance between both, set the account lockout threshold value to 20.

Location for configuring Account lockout threshold:

The Account lockout threshold setting can be configured in the following location in the Group Policy Management Console: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

However, if your administrator has provided you access to configure from the local security policy of your computer, you can open the local security policy, click on Account Lockout Policy in the left pane to locate the Account lockout threshold.

account-lockout-duration

How to centrally manage the Account lockout threshold in your Windows machines?

If you're running a Windows-based network, you can configure Account lockout threshold for all your Windows machines in the network using the Group Policy Object. However, configuring GPO is a tedious process.

Now, you can easily fix that with ManageEngine Vulnerability Manager Plus, a threat and vulnerability management solution to detect, assess and remediate vulnerabilities and misconfigurations. With Vulnerability Manager Plus, you can continuously scan your network for machines in which Account lockout threshold and other security settings are poorly configured and instantly bring them back to compliance by deploying the secure configuration with a single click.

Download a free, 30-day trial of Vulnerability Manager Plus and establish secure configurations across all your Windows endpoints.