What is Windows Account Lockout Policy?

Windows Account lockout policy is a built-in security policy for Windows which will allow you to determine when and how long your user account should be locked out. This can be configured from the local security policy of the computer if it's not restricted by the network admin or in the Group Policy Management Console by the network administrator.

How does Account Lockout Policy helps curb security threats?

To protect your computer from unauthorized use, Windows 10/8/7 provides a facility to protect it using Account Lockout policies. A malicious threat actor may try to guess your Windows account password using a trial and error method, known as the Brute Force attack. To prevent him from succeeding in his attempts, you can use Account Lockout Policies to restrict the number of invalid logon attempts, which when exceeded would disable the account for a specified period to delay further attempts.

Components of Account Lockout Policy:

Account Lockout Policy comprises of three security settings.

  • Account lockout threshold: Account lockout threshold allows you to set the number of failed logon attempts after which the user account should be locked out. Learn more.
  • Account lockout duration: Account lockout duration allows you to set the number of minutes the account should be locked out after the account lockout is triggered. Learn more.
  • Reset Account lockout counter after: The "Reset account lockout counter after" setting allows you to set the duration that must elapse from the first failed login attempt for the failed logon attempt counter to reset to 0. Learn more.

Account lockout policy best practices and recommendations:

Though strict Account Lockout policies might prevent Brute force attacks, it could also lead to increased help desk tickets since users might accidentally lock themselves out of their accounts while attempting log-ins beyond the threshold limit. So in order to strike a balance between both, we have listed down the best practice for each of the account lockout policy settings:

  • Set the account lockout threshold value to "20".
  • Set the account lockout duration value to "1440" minutes".
  • Set the reset account lockout counter value to "30 minutes".

Location for configuring Account Lockout policy:

The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

However, if your administrator has provided you access to configure from the local security policy of your computer, you can open the local security policy and locate the Account Lockout Policy in the left pane.

account-lockout-policy

How to centrally manage the Account Lockout Policy in your Windows 7, 8 and 10 machines?

If you're running a Windows-based network, you can configure Account Lockout policy for all your Windows machines in the network using the Group Policy Object. However, configuring GPO is a tedious process.

Now, you can easily fix that with ManageEngine Vulnerability Manager Plus, a threat and vulnerability management solution to detect, assess and remediate vulnerabilities and misconfigurations. With Vulnerability Manager Plus, you can continuously scan your network for machines in which Account Lockout Policies and other security settings are poorly configured and instantly bring them back to compliance by deploying the secure configuration with a single click.

Download a free, 30-day trial of Vulnerability Manager Plus and establish secure configurations across all your Windows endpoints.