Nov 03 2021

How to Set an Account Lockout Policy in Microsoft Active Directory

Threat actors continue to deploy brute-force attacks to compromise credentials and access networks. Fortunately, it’s easy to foil this tactic.

Modern businesses face a deluge of elaborate threats. Phishing and other social engineering tactics are increasingly common, and hackers continue to raise their technical acumen.

When such methods fail, however, attackers often turn to simple brute-force attacks, leveraging trial-and-error software that rapidly guesses passwords. A strong account lockout policy can defeat these attempts, and administrators can implement one in Microsoft Active Directory in four simple steps.

1. Lower Lockout Thresholds for More Security

Microsoft AD lets users configure a lockout threshold — a set number of allowed password attempts before an account is locked, requiring an IT reversal. AD sets this value to zero by default; accounts configured accordingly will never be locked out. Admins can choose thresholds from zero up to 999. A number around 10 will thwart brute-force attacks while leaving room for legitimate employee error.

2. Adjust Lockout Duration to Avoid Employee Frustration

It’s no secret that password issues and account lockouts trigger numerous help desk calls. With AD, it’s possible that only an administrator can manually unlock afflicted accounts. Setting a lockout duration, after which the account automatically unlocks and an employee can try again to log in, can avoid much of this frustration. Microsoft recommends a duration of 30 minutes. This gives IT time to resolve the issue while preventing unwanted access without markedly interrupting user workflows.

Click the banner below to receive exclusive security content when you register as an insider.

3. Pair Lockout Policies with Infrastructure Monitoring

Keeping tabs on user activity, lockout spikes and other indictors of nefariousness will help uncover pending brute-force attempts. Account oversight for every employee simply isn’t feasible from an operations perspective. However, consider establishing alerts for high-priority accounts with elevated privileges. Domain administrator accounts, for example, are common targets.

4. Ensure Credentials Are Fresh

Credentials that have remained unchanged for some time present an interesting security challenge. Outdated usernames and passwords are notoriously responsible for causing lockouts.

Educating users to update these credentials appropriately (or forcing periodic action) can prevent these unintended lockouts. This exemplifies how AD’s mechanisms, such as account lockout policies and password policies, can interact — for better or worse. Thankfully, these preventative steps aren’t too complicated. 

Manuel-F-O/Getty Images