Easy way to setup account lockout policies to prevent brute-force attacks

Easy way to setup account lockout policies to prevent brute-force attacks: Setting account lockout policies is a critical security measure to protect against unauthorized access, such as brute-force attacks. Below are the steps to configure account lockout policies on Windows Server using the Group Policy Management Console (GPMC), which can also be applied to individual Windows machines via Local Security Policy.

Setting Account Lockout Policies on Windows Server

Step 1: Open Group Policy Management Console (GPMC)

1. Open GPMC:
   • Press Windows key + R, type msc, and press Enter. This opens the Group Policy Management Console.
2. Navigate to the Default Domain Policy:
   • In the left pane, expand Forest > Domains > your domain.
   • Right-click on Default Domain Policy and select Edit.

Step 2: Configure Account Lockout Policy

1. Navigate to Account Lockout Policy:
   • In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
2. Set Account Lockout Threshold:
   • Double-click Account lockout threshold.
   • Set the number of invalid logon attempts that will trigger account lockout. Common practice is between 3-5 attempts.
   • Click Apply and then OK.
3. Set Account Lockout Duration:
   • Double-click Account lockout duration.
   • Set the duration (in minutes) that the account will be locked out. A common setting is 30 minutes.
   • Click Apply and then OK.
4. Set Reset Account Lockout Counter After:
   • Double-click Reset account lockout counter after.
   • Set the time (in minutes) after which the counter of failed logon attempts is reset. This is usually set to match the account lockout duration.
   • Click Apply and then OK.

Step 3: Apply the Policy

1. Close Group Policy Management Editor:
   • Close the editor to apply the changes.
2. Force Group Policy Update:
   • Open Command Prompt with administrative privileges.
   • Run gpupdate /force to apply the changes immediately.

Setting Account Lockout Policies on Local Machine

If you want to set account lockout policies on a standalone Windows machine (not part of a domain), follow these steps:

Step 1: Open Local Security Policy

1. Open Local Security Policy:
   • Press Windows key + R, type msc, and press Enter. This opens the Local Security Policy manager.

Step 2: Configure Account Lockout Policy

1. Navigate to Account Lockout Policy:
   • In the Local Security Policy manager, navigate to Account Policies > Account Lockout Policy.
2. Set Account Lockout Threshold:
   • Double-click Account lockout threshold.
   • Set the number of invalid logon attempts that will trigger account lockout. Click Apply and then OK.
3. Set Account Lockout Duration:
   • Double-click Account lockout duration.
   • Set the duration (in minutes) that the account will be locked out. Click Apply and then OK.
4. Set Reset Account Lockout Counter After:
   • Double-click Reset account lockout counter after.
   • Set the time (in minutes) after which the counter of failed logon attempts is reset. Click Apply and then OK.

Step 3: Apply the Policy

1. Close Local Security Policy:
   • Close the Local Security Policy manager to apply the changes.
2. Restart Computer:
   • To ensure the policies take effect, restart your computer.

Summary

Configuring account lockout policies is a straightforward process that enhances security by limiting the number of failed login attempts. Whether you are setting these policies on a domain controller using GPMC or on a local machine using Local Security Policy, the steps involve specifying the threshold for failed attempts, the lockout duration, and the time to reset the lockout counter. Regularly updating and reviewing these policies ensures they remain effective in protecting against unauthorized access.