Information Technology Reference
In-Depth Information
4-12. Configuring and Managing a
Remote Access Account Lockout Policy
Problem
You want to protect your network by creating a lockout policy for failed authentication
attempts by remote access clients.
Solution
Remote access lockout policies can only be created and managed through the Windows
Registry. There is not an equivalent graphical user interface or command-line option for this
technique.
Using the Registry
You can create (enable) a remote access lockout policy by modifying the following Registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\...
...RemoteAccess\Parameters\AccountLockout\]
"MaxDenials"=dword:
<Limit>
"ResetTime"=dword:
<Duration>
In these keys,
Limit
corresponds to the number of allowed attempts that you will permit
before locking a user account to remote access connections. A value of
0
will disable account
lockout.
■
Note
Locking a user account from remote access connectivity will not lock the actual user account in
Active Directory. These entries relate only to remote access.
Duration
is the amount of time, in minutes, after which you want a locked account to be
re-enabled. Specify the duration in decimal format. The default value is
2,880
minutes, or
two days.
For example, to enable remote access account lockout after five failed logon attempts, and
to automatically unlock the account after 60 minutes, create or modify the following keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\...
...RemoteAccess\Parameters\AccountLockout\]
"MaxDenials"=dword:5
"ResetTime"=dword:60
You can also unlock an account by modifying the Registry. To do so, use Regedit.exe and
select the following key:
