Windows 7 / Security and Privacy

Configuring Account Lockout Policy

The Account Lockout Policy is invoked after a local user or a domain user has been locked out of his or her account. These settings are designed to help protect user accounts from attacks that involve password guessing or other types of attacks where random passwords are repeatedly entered to try to gain access to an account. There are three settings for account lockout policies. They are the following:

  • Account Lockout Duration If a user does become locked out, this setting determines how long the user will be locked out before the user account is unlocked. There is no default setting, because this setting is dependent on the Account Lockout Threshold setting. The range is from 0 through 99,999 minutes. The account will be locked out indefinitely when this is set to 0 and therefore will require an administrator to unlock it.
  • Account Lockout Threshold This setting determines how many failed attempts at logon Windows Server 2008 permits before a user will be locked out of the account. The range is from 0 to 999. If this setting is 0, the account will never be locked out and the Account Lockout Duration security setting is disabled. The default setting is 0.
  • Reset Account Lockout Counter After This setting is the number of minutes after a failure to log on before the logon counter is reset to zero. This must be less than or equal to the Account Lockout Duration setting if the Account Lockout Threshold policy is enabled. The valid range is from 1 to 99,999 minutes.

When you are setting top-level account policy for the Default Domain Policy, these policies are located in Computer Configuration\Windows Settings\Security Settings\ Account Policies\Account Lockout Policy. When you are setting secondary account policy for a PSO, you configure these settings using similarly named object attributes.

Setting Kerberos Policy

Kerberos is an authentication system designed for secure exchange of information. Windows Server 2008 has five settings for Kerberos Policy, which are applied only to domain user accounts. The policies can only be set for top-level account policy and are located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. They are as follows:

  • Enforce User Logon Restrictions: If you want to validate every ticket session request against the user rights, keep the default setting enabled.
  • Maximum Lifetime For Service Ticket: The default is 600 minutes, but this setting must be greater than 10 minutes, and also must be less than or equal to what is configured for the Maximum Lifetime For User Ticket setting. The setting does not apply to sessions that have already been validated.
  • Maximum Lifetime For User Ticket: This is different from the Maximum Lifetime For Service Ticket setting. Maximum Lifetime For User Ticket sets the maximum amount of time that a ticket may be used before either a new one must be requested or the existing one is renewed, whereas the Maximum Lifetime For Service Ticket setting is used to access a particular service. The default is 10 hours.
  • Maximum Lifetime For User Ticket Renewal: This user account security policy object configures the maximum amount of time the ticket may be used. The default is seven days.
  • Maximum Tolerance For Computer Clock Synchronization: Sometimes workstations and servers have different local clock times. This setting allows you to configure a tolerance level (defaults to 5 minutes) for this possible difference so that Kerberos authentication does not fail.
Note:
If you change the Minimum Password Length setting to less than seven characters (the default), you may not be able to create a new user or change a user's password. To work around this limitation, set the password length to seven or higher.
[Previous] [Contents] [Next]