Checklist: Seven steps to properly set account lockout

If you do set account lockout and someone tries to logon to an account using the wrong password, the account will automatically lock after the specified number of tries -- and no one can logon using it.

Setting this option is supposed to provide two advantages:
1. A would-be attacker can't use the account unless he's capable of guessing the password within the number of tries you set.
2. If you have enabled auditing, configured it to record these events and reviewed your logs, you may discover these attempts at compromise.

On the other hand, setting this option may also bring two disadvantages:
1. Legitimate users may fumble-finger attempts at logon and loc

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows XP security issues, updates and alerts How Windows 7 stands up to security tests The state of enterprise security and emerging threats in 2009 A first look at Windows 7 security enhancements How to strike a balance between Windows security and business needs How to recognize and repair Blue Screen of Death stop error messages Ten ways to sell security to management Improve Windows security with our top 10 tips Strategies for troubleshooting Windows XP errors Managing single sign-on security burdens in Windows A Windows security checklist for IT managers Securing Windows legacy operating systems Run legacy applications with Windows Vista security How to Bypass BIOS Passwords Security concerns of unattended, automatic installations How 'limited' malcode pulled off the year's biggest attack Taking over the domain How to get an attacker out of your network Checklists: Harden access control settings Freeware tool for password tracking and storage Manual vs. automated patch tracking Protect desktop files and folders from inside snoops

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

k themselves out. Does this seem far-fetched? I once did so in front of an audience of 500 people.
2. Automated attacks on accounts can trigger whole-scale lockout of multiple accounts. The password cracking attempt becomes a denial-of-service attack (and some say that may have been the goal).

Still, I believe that properly-implemented account lockout options can work to your advantage. Account lockout settings should be set in a Group Policy Object linked to the domain. You'll find them at Windows Settings/Security Settings/Account Policies/Account Lockout Policy. Here's how to use them.

You may download a printer-friendly version. [TABLE]

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.

[TABLE]

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.