Question

Windows Server 2012 - Account Lock

Answer 1

Account lock settings

When a user enters a wrong password a certain number of times it may happen that your account is under a brute force attack, or an external entity is trying to enter your account without authorization, to prevent this and to give more security to our environment. networks you must enter an account lockout policy.

This policy must guarantee that after a number of times of incorrect login attempts the user account is blocked, thus alerting the system administrator about the irregularity and forcing the user to report his account in case it was due to an error of what happened, and if it is due to some kind of attack, they can not access the data or the terminal.

These policies are configured in the GPO (Group Policy Objetcs) available in the route:

Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Account

These policies must be established at the domain level so that they apply to our environment correctly.

For the blocking of accounts we have a series of policies that help us in this task, within our Windows Server 2012 domain environment we have the following:

• Account blocking duration: This is the time that the account will be blocked, by default the base time is 30 minutes when the policy is activated. When the value is 0 it indicates that the account will be blocked until an administrator proceeds to do the unlocking.

• Limit for the Account block: This element allows us to establish the limit of erroneous login attempts that an account can try to activate the block, when it is activated by default the value is 5 attempts, a maximum of 999 attempts can be placed, these attempts They must occur in a certain period of time to be accounted for.

• Reset Counter of Erroneous Attempts: This element allows us to establish the period of time in which incorrect entry attempts with an incorrect password will be counted.

When we enable it, it brings us a default time of 30 minutes which means that if our account lockout limit is 5 attempts, these must occur in less than 30 minutes for the account to be blocked, now in case the User does the 5 attempts in 31 minutes the account lock does not happen since the counter would have reset in the 31st minute.

Blocking Accounts in the real world

In the real world, an account block that lasts 30 minutes is equivalent to a blockage that does not expire, since by nature the user pays little attention to security policies, even if the system administrator tells him thousands of times that once his Account must wait 30 minutes before returning to login.
In a work environment these 30 minutes can mean the delay for the printing of a report to the general management, so the technical support phones will always be ringing.
To prevent this, it is recommended that the block is 1 minute and specified on the screen with a message, this minute is enough to avoid attacks by dictionary and brute force, since it would force the attack engines to wait for a time in which the administrator could be aware and take the necessary measures.

---