Windows Account lockout policy is a built-in security policy for Windows which will allow you to determine when and how long your user account should be locked out. This can be configured from the local security policy of the computer if it's not restricted by the network admin or in the Group Policy Management Console by the network administrator.
To protect your computer from unauthorized use, Windows 10/8/7 provides a facility to protect it using Account Lockout policies. A malicious threat actor may try to guess your Windows account password using a trial and error method, known as the Brute Force attack. To prevent him from succeeding in his attempts, you can use Account Lockout Policies to restrict the number of invalid logon attempts, which when exceeded would disable the account for a specified period to delay further attempts.
Account Lockout Policy comprises of three security settings.
Though strict Account Lockout policies might prevent Brute force attacks, it could also lead to increased help desk tickets since users might accidentally lock themselves out of their accounts while attempting log-ins beyond the threshold limit. So in order to strike a balance between both, we have listed down the best practice for each of the account lockout policy settings:
The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
However, if your administrator has provided you access to configure from the local security policy of your computer, you can open the local security policy and locate the Account Lockout Policy in the left pane.
If you're running a Windows-based network, you can configure Account Lockout policy for all your Windows machines in the network using the Group Policy Object. However, configuring GPO is a tedious process.
Now, you can easily fix that with ManageEngine Vulnerability Manager Plus, a threat and vulnerability management solution to detect, assess and remediate vulnerabilities and misconfigurations. With Vulnerability Manager Plus, you can continuously scan your network for machines in which Account Lockout Policies and other security settings are poorly configured and instantly bring them back to compliance by deploying the secure configuration with a single click.