Lockout is the feature that automatically disables a user account once a pre-determined number of failed logon attempts have occurred. Lockout is a primary defense against brute-force attacks. A brute-force attack attempts to log into a system with a known user account name by repeatedly trying different password combinations. Lockout works great against local physical access attempts and remote or network access attempts. However, lockout does not work against attacks through FTP.

Lockout should be a key part of an organization's security policy. There are three elements to defining the lockout policy:

  • Failed logon attempts -- the number of times a logon can fail before the account is locked out.
  • Lockout duration -- the length of time an account is locked out. If this is set to infinite then an administrator or account manager must re-enable the account manually.
  • Failed logon counter reset interval -- the length of time before the count of failed logons is reset to 0.

In most cases, a lockout duration of 15 minutes is more than sufficient to thwart a brute-force attack, but at the same time, not require the intervention of an administrator every time a user fumbles their logon multiple times. Most organizations allow three-to-five failed logon attempts before disabling the user account and a counter reset interval of 15 to 30 minutes.

Lockout by itself is a useful deterrent, but it should always be combined with logon

    Requires Free Membership to View

auditing. Without a record of the activity in the Security Event Log, you will have no way of knowing the who, when and where of an account being locked out. If integrated with an intelligent intrusion-detection system (IDS), the audit trail and lockout feature can often pinpoint the cracker or the compromised system automatically.

About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.

Related book

Authentication: From passwords to public keys
By Richard E. Smith
This book gives readers a clear understanding of what an organization needs to reliably identify its users and how the different techniques for verifying identity are executed.

This was first published in February 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.