Establishing an Account Lockout Policy
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You need to establish an account lockout policy at the same time that you establish a password security policy. Account lockout policies protect your environment against brute-force or dictionary attacks. Given enough tries, even complex passwords can be guessed. Account lockout policies reduce the number of guesses that an attacker can make.
It is best to establish an account lockout policy that is restrictive enough to prevent attacks, while still allowing for the occasional user error. An account lockout policy that is too strict might increase the number of support calls in your organization as users who type their passwords incorrectly are mistakenly locked out.
Creating an account lockout policy involves setting the following options in the Default Domain Group Policy object.
Account lockout threshold
The account lockout threshold limits the number of times that anyone can attempt to log on to a computer from a remote location. This prevents attackers from trying all possible passwords over the network. This setting is disabled by default in the Default Domain Group Policy object. You can turn it on by setting the value to a number within the accepted range of 1 through 999. Set the value high enough to ensure that occasional errors do not result in account lockout.
Note that this setting does not apply to attempts to log on at the console of a locked workstation or to attempts to unlock a screensaver. Locked workstations cannot be forced to run password-cracking programs.
Account lockout duration
The account lockout duration determines how long, in minutes, an account that has exceeded the account lockout threshold remains locked before it is automatically unlocked. Valid settings range from 0 through 99,999 minutes, or about 10 weeks. When the value is set to 0, an administrator must manually unlock the account. Because account lockout policies are designed to protect against brute-force attacks, setting even a low value for the account lockout duration reduces the number of possible attacks considerably. Note that setting a high value for the account lockout duration can increase help desk calls when legitimate users are mistakenly locked out, and aside from indicating that an attack was attempted, provides little additional protection.
By default, this policy is not defined, because it is only applicable when an account lockout threshold is specified.
Reset account lockout counter after
This setting determines the number of minutes that must elapse after a failed logon attempt before the counter is reset to 0 bad logon attempts. The range is 1 through 99,999 minutes. This value must be less than or equal to the account lockout duration.
Enforce user logon restrictions
When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer. The user requesting the session ticket must be assigned the Log on locally policy (if the requested service is running on the same computer) or the Access this computer from the network policy (if the requested service is on a remote computer) to receive a session ticket. This option also serves as a means to ensure that the requesting account is still valid. Verification is optional because the extra step takes time and might slow network access to services, but if account rights have changed or user accounts have been disabled between the time when the initial ticket was issued and the time when a service ticket was requested, these changes do not take effect.
By default, the policy is enabled in the Default Domain Group Policy object. If the policy is disabled, this check is not performed. For greater security in an environment in which user accounts change frequently, enable this setting. For faster performance, particularly in a more stable user account environment, disable this setting.