Hopefully you’ve never experienced the total frustration of dealing with a system infested with malware. It may take hours to detect and remove all of the malware-affected files on a system. Because of this, many IT people prefer a “clean install”, which erases the drive and replaces everything on it. But with a clean install, you’ll lose any information not saved elsewhere. Ugh. This all could have been prevented with proper workstation security. Show
The following five practices can help prevent possible problems and increase the security of your workstation. 1. Use an active security suiteA security suite should protect your system from viruses, malware, spyware, and network attacks. These days, a product that provides just anti-virus only isn’t enough. Not all malicious programs are viruses. Some programs present themselves as useful, but are spyware. For example, a program that offers to alert you to discounts or deals, but also monitors everything you do online. Your security suite should detect that and disable it. If you use a company-owned system, your IT folks likely provide a security suite. You should make sure that your security software is running and active. If it isn’t, turn it on and immediately run a full system scan. 2. Update your softwareKeep your operating system, security suite, and programs up-to-date. Microsoft releases patches on the second Tuesday of each month. If you update your own system, check then. If an IT professional manages your updates, they may test Microsoft’s patches before they deploy the patch to your system, so there may be a delay. Many security suite vendors release updates every few hours. Your system should receive and apply those automatically to protect against recently identified threats. Applications—especially programs that connect to the internet—also offer a way for attackers to access your system. For example, the makers of Java and Flash issue frequent updates to patch problems identified with those applications. If you use an application keep it up-to-date. If you don’t use an application, uninstall it. (Check with your IT team before making any changes!) 3. Leave it? Lock itNever leave your system logged in and unattended. Never: as in… not in your office at work, not on your desk at home, and not at your favorite local coffeeshop. Never. When you walk out of eyesight of your device, lock it and/or log out. (On most Windows systems, just press Ctrl-Alt-Delete then Enter to lock it. Or, hold down the Windows key and press L.) Configure your system to automatically lock—and logout—after a few minutes if not in use. 4. Don’t shareUnless your IT team specifically tells you otherwise, don’t share your system—with anyone. If you’re the only one to use your system, you can keep it safe. Hand it to Alice in Accounting and she might insert a flash drive filled with malicious files. Loan your system to Bob in Marketing to use for a presentation at a conference… and he might just present you with an infected file. When you share a file, share it from the company’s shared file system—in the cloud or on your server. Cloud services actively scan for problems, and your document server likely does, too. Keep things simple: don’t share your system. Nobody borrows it—ever. 5. Backup your dataBack up data you want to keep. You don’t need to back up your operating system or applications—your IT team should be able replace and update those easily. But your data isn’t replaceable. That means your email, your documents, images, spreadsheets, presentations, audio and video files—all of it should be backed up. Any file that matters to you should be backed up. This also includes cloud applications. It’s true, just because you store data in the cloud does NOT mean it’s automatically safe and protected. If your company is storing critical information in a SaaS application (ex. Salesforce), consider implementing a cloud to cloud backup solution. With a backup, if your system does get infected—or when the hardware finally fails—your data is safe. You get another system, set it up, then start work. A backup can save you the frustration of fighting with a malware infested system. How well do you perform all five of these practices? What about your colleagues? How well do they perform each of these practices? Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Account lockout threshold
In this articleApplies to
Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting. ReferenceThe Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account can't be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after. Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account. Failed attempts to unlock a workstation can cause account lockout even if the Interactive logon: Require Domain Controller authentication to unlock workstation security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. Possible valuesIt's possible to configure the following values for the Account lockout threshold policy setting:
Because vulnerabilities can exist when this value is configured and when it's not, organizations should weigh their identified threats and the risks that they're trying to mitigate. For information these settings, see Countermeasure in this article. Best practicesThe threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, Windows security baselines recommend a value of 10 could be an acceptable starting point for your organization. As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see Configuring Account Lockout. Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see Implementation considerations in this article. LocationComputer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy Default valuesThe following table lists the actual and effective default policy values. Default values are also listed on the property page for the policy setting.
Policy managementThis section describes features and tools that are available to help you manage this policy setting. Restart requirementsNone. Changes to this policy setting become effective without a computer restart when they're saved locally or distributed through Group Policy. Implementation considerationsImplementation of this policy setting depends on your operational environment. Consider threat vectors, deployed operating systems, and deployed apps. For example:
For more information about Windows security baseline recommendations for account lockout, see Configuring Account Lockout. Security considerationsThis section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. Note A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also Appendix D: Securing Built-In Administrator Accounts in Active Directory. VulnerabilityBrute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed. However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network. Note Offline password attacks are not countered by this policy setting. CountermeasureBecause vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
Potential impactIf this policy setting is enabled, a locked account isn't usable until it's reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate many more Help Desk calls. If you configure the Account lockout threshold policy setting to 0, there's a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism isn't in place. If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. Account Lockout Policy FeedbackSubmit and view feedback for Which of the following actions can you take to increase security of your Web browser?Two things you can do are upgrade your browser to the newest version (as well as any plugins, toolbars, and extensions) and configure security zones (if you are using IE). Enabling Autofill and accepting all cookies can increase your security risk. 20.
Which of the following allows you to physically secure a laptop from theft?A cable lock can be used to physically secure a laptop to deter theft.
Which type of software will help protect your computer from malicious network traffic?Antimalware is a type of software program created to protect information technology (IT) systems and individual computers from malicious software, or malware. Antimalware programs scan a computer system to prevent, detect and remove malware.
What is the most common method used to authenticate a user's identity for today's computer systems and shared data resources?Password-based authentication
Also known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password.
|