Hopefully you’ve never experienced the total frustration of dealing with a system infested with malware. It may take hours to detect and remove all of the malware-affected files on a system. Because of this, many IT people prefer a “clean install”, which erases the drive and replaces everything on it. But with a clean install, you’ll lose any information not saved elsewhere. Ugh. This all could have been prevented with proper workstation security.
The following five practices can help prevent possible problems and increase the security of your workstation.
1. Use an active security suite
A security suite should protect your system from viruses, malware, spyware, and network attacks. These days, a product that provides just anti-virus only isn’t enough. Not all malicious programs are viruses. Some programs present themselves as useful, but are spyware. For example, a program that offers to alert you to discounts or deals, but also monitors everything you do online. Your security suite should detect that and disable it.
If you use a company-owned system, your IT folks likely provide a security suite. You should make sure that your security software is running and active. If it isn’t, turn it on and immediately run a full system scan.
2. Update your software
Keep your operating system, security suite, and programs up-to-date. Microsoft releases patches on the second Tuesday of each month. If you update your own system, check then. If an IT professional manages your updates, they may test Microsoft’s patches before they deploy the patch to your system, so there may be a delay.
Many security suite vendors release updates every few hours. Your system should receive and apply those automatically to protect against recently identified threats.
Applications—especially programs that connect to the internet—also offer a way for attackers to access your system. For example, the makers of Java and Flash issue frequent updates to patch problems identified with those applications. If you use an application keep it up-to-date. If you don’t use an application, uninstall it. (Check with your IT team before making any changes!)
3. Leave it? Lock it
Never leave your system logged in and unattended. Never: as in… not in your office at work, not on your desk at home, and not at your favorite local coffeeshop. Never. When you walk out of eyesight of your device, lock it and/or log out. (On most Windows systems, just press Ctrl-Alt-Delete then Enter to lock it. Or, hold down the Windows key and press L.) Configure your system to automatically lock—and logout—after a few minutes if not in use.
4. Don’t share
Unless your IT team specifically tells you otherwise, don’t share your system—with anyone. If you’re the only one to use your system, you can keep it safe. Hand it to Alice in Accounting and she might insert a flash drive filled with malicious files. Loan your system to Bob in Marketing to use for a presentation at a conference… and he might just present you with an infected file.
When you share a file, share it from the company’s shared file system—in the cloud or on your server. Cloud services actively scan for problems, and your document server likely does, too.
Keep things simple: don’t share your system. Nobody borrows it—ever.
5. Backup your data
Back up data you want to keep. You don’t need to back up your operating system or applications—your IT team should be able replace and update those easily.
But your data isn’t replaceable. That means your email, your documents, images, spreadsheets, presentations, audio and video files—all of it should be backed up.
Any file that matters to you should be backed up. This also includes cloud applications. It’s true, just because you store data in the cloud does NOT mean it’s automatically safe and protected. If your company is storing critical information in a SaaS application (ex. Salesforce), consider implementing a cloud to cloud backup solution.
With a backup, if your system does get infected—or when the hardware finally fails—your data is safe. You get another system, set it up, then start work. A backup can save you the frustration of fighting with a malware infested system.
How well do you perform all five of these practices? What about your colleagues? How well do they perform each of these practices?
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Account lockout threshold
- Article
- 10/27/2022
- 6 minutes to read
In this article
Applies to
- Windows 10
Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
Reference
The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account can't be used until you reset it or until the number of minutes specified by the Account lockout duration policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.
Failed attempts to unlock a workstation can cause account lockout even if the Interactive logon: Require Domain Controller authentication to unlock workstation security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.
Possible values
It's possible to configure the following values for the Account lockout threshold policy setting:
- A user-defined number from 0 through 999
- Not defined
Because vulnerabilities can exist when this value is configured and when it's not, organizations should weigh their identified threats and the risks that they're trying to mitigate. For information these settings, see Countermeasure in this article.
Best practices
The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, Windows security baselines recommend a value of 10 could be an acceptable starting point for your organization.
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see Configuring Account Lockout.
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see Implementation considerations in this article.
Location
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
Default values
The following table lists the actual and effective default policy values. Default values are also listed on the property page for the policy setting.
Default domain policy | 0 invalid sign-in attempts |
Default domain controller policy | Not defined |
Stand-alone server default settings | 0 invalid sign-in attempts |
Domain controller effective default settings | 0 invalid sign-in attempts |
Member server effective default settings | 0 invalid sign-in attempts |
Effective GPO default settings on client computers | 0 invalid sign-in attempts |
Policy management
This section describes features and tools that are available to help you manage this policy setting.
Restart requirements
None. Changes to this policy setting become effective without a computer restart when they're saved locally or distributed through Group Policy.
Implementation considerations
Implementation of this policy setting depends on your operational environment. Consider threat vectors, deployed operating systems, and deployed apps. For example:
The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats.
When there's a negotiation of encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
For more information about Windows security baseline recommendations for account lockout, see Configuring Account Lockout.
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Note
A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also Appendix D: Securing Built-In Administrator Accounts in Active Directory.
Vulnerability
Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed. However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network.
Note
Offline password attacks are not countered by this policy setting.
Countermeasure
Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
Configure the Account lockout threshold setting to 0. This configuration ensures that accounts won't be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users can't accidentally lock themselves out of their accounts. Because it doesn't prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
- The password policy setting requires all users to have complex passwords of eight or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
Configure the Account lockout threshold policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
Windows security baselines recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
Potential impact
If this policy setting is enabled, a locked account isn't usable until it's reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate many more Help Desk calls.
If you configure the Account lockout threshold policy setting to 0, there's a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism isn't in place.
If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts.
Account Lockout Policy
Feedback
Submit and view feedback for