NPS: Account Lockout

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use remote access account lockout to specify how many times a network access authentication attempt fails against a valid user account before the user is denied access. Remote access account lockout is especially important for remote access virtual private network (VPN) connections over the Internet. An attacker on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the attacker sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases.

Important

Remote access account lockout settings are universally applied to connection requests. When you configure remote access account lockout with a MaxDenials value other than 0, Network Policy Server (NPS) uses that lockout setting when evaluating connection requests from all Remote Authentication Dial-In User Service (RADIUS) clients regardless of type. This includes connection requests from 802.1X authenticating switches and wireless access points, Terminal Services Gateway (TS Gateway) servers, and Routing and Remote Access service (RRAS) servers configured as VPN and dial-up servers.

When remote access account lockout is enabled, a dictionary attack is thwarted after a specified number of failed attempts. As the network administrator, you must decide on two remote access account lockout variables:

  • The number of failed attempts before future attempts are denied.

    After each failed attempt, a failed attempts counter for the user account is incremented. If the user account’s failed attempts counter reaches the configured maximum, future attempts to connect are denied.

    A successful authentication resets the failed attempts counter when its value is less than the configured maximum. In other words, the failed attempts counter does not accumulate beyond a successful authentication.

  • The frequency with which the failed attempts counter is reset.

    The failed attempts counter is periodically reset to 0. If an account is locked out after the maximum number of failed attempts, the failed attempts counter is automatically reset to 0 after the reset time.

Note

If you’re using RRAS and the RRAS server is configured for Windows Authentication, modify the registry on the RRAS server. If the RRAS server is configured for RADIUS authentication, modify the registry on the NPS server.

Enable the remote access account lockout feature by changing the following settings in the registry on the computer that provides authentication services for connection requests.

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters

To enable remote access account lockout

Set the MaxDenials entry in the registry to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out.

By default, MaxDenials is set to 0, which means that remote access account lockout is disabled.

To modify the amount of time before the failed attempts counter is reset

Set the ResetTime (mins) entry in the registry to the required number of minutes.

By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours).

To manually reset a user account that has been locked out before the failed attempts counter is automatically reset

Delete the following registry entry that corresponds to the user’s account name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name

When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted.