Account Lockout Threshold

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Account Lockout Threshold

A brief look at configuring Account Lockout Threshold policy

Hackers can automate brute force attacks to try thousands of password permutations for numerous user accounts. These attacks can be combated by limiting the failed attempts.

The Account lockout threshold policy setting helps you define the number of failed sign-in attempts that will lead to account lockout. Once locked, an account cannot be logged into until it is reset or until the duration specified by the Account lockout duration policy setting expires. Threshold policy values can be configured 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. When threshold policy value is configured to a number greater than zero, the Account lockout duration must be set to a value greater than or equal to the value of Reset Account Lockout counter .

There is still a risk that a denial-of-service (DoS) attack could be launched on a domain that has an account lockout threshold configured. A malicious user could program a batch of password attacks against users in an organization. When the number of attempts exceeds the value of Account lockout threshold, the attacker could potentially lock every account.

A user's workstation can go into a lockout after multiple failed attempts, even if the Interactive logon: Require Domain Controller authentication to unlock workstation security option is disabled. After the account lockout duration, if you login with the same password then Windows doesn’t need to contact a domain controller for an unlock. But if you enter a different password, Windows has to contact a domain controller to verify if the password has been changed from another machine.

Account Lockout Threshold values

A user can configure threshold values between 0 and 999 or can leave the threshold value undefined.

Recommended configurations:

The threshold that you choose should balance operational efficiency and security, and it depends on the risk appetite of your organization. To account for user based error while using passwords, and to prevent brute force attacks, Microsoft recommends a value of 10 as optimal.

Best Practices for implementation:

  • The odds of a DDoS attack or data theft depends on the security strategy you have created for your systems and environment. The account lockout threshold values should be set considering the known and perceived risk.
  • Choose the Kerberos protocol when negotiating between encryption because it can automatically retry account sign-in attempts perform counts of the login attempts and compare it with the threshold policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
  • Not all apps in an organizational environment are effective at managing how many times a user can attempt to sign-in. For instance, if there is a disconnect, all subsequent failed sign-in attempts count toward the account lockout threshold.

Combative measures against security loopholes:

As stated above, the policy does allow for DDoS attacks and it also presents a challenge to balance the blocking of brute force attacks and giving enough allowance for multiple password attempts for legitimate users.

Set the Account lockout threshold value to 0. This setting ensures that accounts will not be locked, and it will block DoS attack that attempts to lock users out of their accounts.

Configure the Account lockout threshold policy setting to a sufficiently high value to give users enough allowance for mistyping passwords several times before the account is locked. Ensure that password attacks can't take place with trial and error methods by locking the account.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

  • Authorized and unauthorized AD management changes
  • User logons, logoffs, and account lockouts
  • GPO changes
  • Group attribute and membership changes
  • OU changes
  • Privileged access and permission changes
  • Azure AD logons, and changes to roles, groups, and applications
  • PowerShell scripts and modules

among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing