Skip to main content

Create an Account Lockout Policy

Posted March 2007 by Steve Sinchak

In my last article I showed you how you can protect your computer against anonymous user account attacks by turning on account logon auditing so you could see when someone attempts to remotely logon to your account.  Now I am going to help your increase your level of protection with the Account Lockout Policy.

Creating an Account Lockout Policy will protect your account by limiting the number of time a remote application or attacker can try to guess your password.  This works by automatically locking out your account after a designated number of incorrect passwords were entered.  Your account will remain locked out for a designated period of time before it is automatically unlocked and it can be logged into again.  This provides a valuable addition to your account security because it can render brute force password attacks useless.  If you have your lockout threshold set to 4 bad attempts and the lockout duration to 15 minutes, an attacker can try to guess your password a maximum of 16 times per hour.

Now that you know how valuable an Account Lockout Policy is, let’s get it setup on your computer:

  1. Click on the Start Button and key in Secpol.msc and hit Enter.
  2. Navigate through Account Policies and Account Lockout Policy.
  3. Right click on Account lockout threshold and select Properties.
  4. Enter in the value you want to use and hit OK to save. I like to use 4 here.
  5. Windows will set the default values for the lockout duration and Reset account lockout counter values.  If you want to change these values from the defaults (30 minutes), right click on them and select Properties. After making your changes hit OK to save and exit.

Related Posts


The Java Runtime Environment has become one of the most exploited components of any operating system. Even the US Department of Homeland Security warns users to disable java unless they have a really good reason to use it.  For most of us the days of Web sites requiring you to run Java applets has long passed.  However, there still are a good number of desktop applications written in Java so simply...

Read More

Port 3389 is the home of the remote desktop protocol that powers Remote Desktop Services on all modern versions of Windows.  If your system has Remote Desktop enabled, it is listening for connections on port 3389.  Since this port is both well known and can be used to attack accounts, it is low hanging fruit for script kiddies and bots looking for an easy target.

Read More

Microsoft included a batch rename feature in the latest version of Windows allowing you to select multiple files, right click on one and select rename. All of the selected files will be renamed with the name you provided and a number. This functionality works well for basic files but does not provide any flexibility in exactly how the files are numbered and also does not allow the file extension to...

Read More

Adobe ReaderThe Adobe download manager is part of the normal install of Adobe Reader and Flash that allows Adobe to bundle additional software with their products. After the download manager is installed, Reader/Flash along with other software (Adobe Air) can be downloaded and installed. When dial-up Internet connections where common download managers provided a valuable...

Read More