Remote Access Account Lockout

Remote access account lockout can be used by a network administrator to configure how many failed logon attempts are permitted before a remote access user’s account is locked out. This feature is particularly useful if you are using a remote access VPN to provide users with remote access to the network. It reduces the chances of an attacker gaining access to your network by attempting to guess the password associated with a user account.

Two things must be decided upon when using remote access account lockout. First of all you must decide how many failed logon attempts will be allowed before the account is locked out. Second, you must configure how often the failed attempts counter is reset to 0. For example, if the number of failed logon attempts allowed is 4, a user account will be locked out once the number of failed logons exceeds this number. The reset counter then determines how long before the number of failed logon attempts is set back to 0.

This feature is not enabled by default. In order to use it, you must edit the Windows registry. The remote access account lockout feature is enabled using the registry. To enable remote access account lockout you must change the MaxDenial value found under the

HKEY_Local_Machine \ System \ CurrentControlSet \ Services \ RemoteAccess \ Parameters \ AccountLockout subkey.

To enable configure the amount of time that must pass before the failed attempts counter is reset, edit the ResetTime value found under the same registry subkey. The default value for the ResetTime is 48 hours or 2,880 minutes.

[tags]windows,microsoft,diana huggins,remote access,account lockout[/tags]