Configuring Remote Access Account Lockout for a VPN Solution

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you will use remote access account lockout to prevent online dictionary attacks, enable remote access account lockout by modifying the AccountLockout subkey in registry on the server that authenticates remote access requests.

If the remote access server is configured for Windows authentication, modify the registry on that server. If the remote access server is configured for RADIUS authentication, and you are using IAS, modify the registry on the IAS server.

Caution

• Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.

The AccountLockout subkey can be found in the following subkey:

HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters

The AccountLockout subkey does not exist in the registry until you enable the Routing and Remote Access service or install the Internet Authentication Service.

To configure remote access account lockout, modify two entries in the AccountLockout subkey:

1. To enable account lockout, set MaxDenials to 1 or greater.

   MaxDenials sets the maximum number of failed attempts that can occur within the configured reset time before the account is locked out. By default, MaxDenials is set to zero, which disables account lockout.

2. To change the interval at which the failed attempts counter is reset, set the number of minutes in ResetTime (mins).

   By default, the failed attempts counter is reset every 48 hours (a value of 0xb40, or 2,880 minutes). To modify this interval, enter the preferred number of minutes.

Note

• To manually reset a user account that has been locked out before the failed attempts counter is automatically reset, delete the following registry subkey, which corresponds to the user’s account name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domainname:username.

For more information about remote access account lockout, see "Remote Access Technologies" in the Networking Collection of the Windows Server 2003 Technical Reference.