Back
  • Misconfig Name
  • Account lockout threshold is not configured to lockout accounts after 20 failed logons
  • Description
  • "Account lockout threshold:" The number of failed logon attempts that will cause a user account to be locked. "Account lockout duration:" The number of minutes a locked-out account remains locked out before getting unlocked automatically. Attackers can try to guess the password or use brute force attacks to crack the password. To prevent this, account lockout threshold must be configured to lockout accounts after 20 failed logon attempts.
  • Severity
  • Critical
  • Category
  • Logon Security
  • Resolution
  • Follow the below steps in GPO to resolve the misconfiguration. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "20" or fewer invalid logon attempts (excluding "0", which is unacceptable).
  • Reboot Required
  • No