Export (0) Print
Expand All

Auditing failed logon events and account lockouts

Auditing the number of failed attempts to log on by a user helps you learn about brute force, dictionary, and other password attacks on the server. In Windows Small Business Server 2003, auditing logon failure events and account lockouts is enabled by default.

You can disable auditing of logon failure events and account lockout by using the Small Business Server Auditing and Small Business Server Lockout Policy. For more information, see To disable or enable the auditing and account lockout policy.

Auditing logon failure events In Windows Small Business Server 2003, the setting for the Audit logon events is set to failure. Failure audits generate an audit entry when a logon attempt fails. Thus, every time an invalid logon attempt occurs on the server, a message is generated in the event log. You can view the generated event message in the performance reports when you configure monitoring for the server. For more information about configuring monitoring, see Monitoring overview.

For more information about Audit logon events, see "Audit account logon events" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=71626).

Account lockout policy Account lockout policy disables a user account if the user enters an incorrect password a specified number of times within a specified time. These policy settings help you to prevent attackers from guessing users' passwords, and they decrease the likelihood of successful attacks on your network. The following table describes the settings that are assigned for the account lockout.

 

Account lockout policy security setting Description of security setting Assigned value

Account lockout duration

Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked.

10 minutes

Account lockout threshold

Determines the number of failed logon attempts that causes a user account to be locked out.

50 failed logon attempts

Reset account lockout counter after

Determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.

10 minutes

When an account lockout occurs, it generates a message in the event log. You can view the message by using performance reports or the Event Viewer. For information about what steps you should take when a user account gets locked out, see "Windows Small Business Server 2003 Troubleshooting" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=71630). You can also be notified about the account lockout by a notification when you configure monitoring for the server. For more information about alert notifications, see Understanding alert notifications. For more information about configuring monitoring, see Monitoring overview.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft