Information Technology Reference
In-Depth Information
The following command configures the remote access account lockout duration to
60 minutes:
> reg add HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\
AccountLockout /v "ResetTime (mins)" /t REG_DWORD /d 60 /f
Using VBScript
This script will configure the account lockout threshold and lockout duration for an IAS server:
' This code configures the account lockout threshold and
' lockout duration for an IAS server
' ------ SCRIPT CONFIGURATION ------
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
strKeyPath =
"SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout"
dValueName = "MaxDenials"
dValue = "3"
' ------ END CONFIGURATION ---------
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,dValueName,dValue
dValueName = "Reset Time(mins)"
dValue = 30
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,dValueName,dValue
WScript.Echo "Value set."
How It Works
You can use the remote access account lockout feature of Windows Server 2003 RAS and IAS to
specify how many times an incoming remote access connection can provide invalid authenti-
cation credentials before the user is denied access to the RAS or IAS server. This is a particularly
important security feature when you are securing Internet-facing servers such as those that are
hosting VPN connections, since a malicious Internet user can use the VPN connection process
to perpetrate a dictionary attack against a valid user account. If you enable the remote access
account lockout, this dictionary attack would be shut down after a certain number of failed
logon attempts.
Remote Access Account Lockout Considerations
Before configuring remote access account lockout, you need to determine the following two
configuration items:
