Account Lockout
Describe the different account lockout policies and how to display or manipulate them.
Windows
Display the account lockout policy:
net accounts
net accounts /domain
| Setting | Default | Description |
|---|---|---|
| Lockout threshold | 0 | This count is the number of bad password attempts for an account that will be accepted before the account is locked out. A value of 0 means accounts will never lock out. |
| Lockout duration (minutes) | ? | Amount of time that an account will be locked out until it is automatically re-enabled. A value of 0 requires a manual action to re-enable the account. |
| Lockout observation window (minutes) | ? | Time duration over which bad logon attempts are counter. After this time frame passes, the bad logon attempts counter is reset to 0. |
Tip
By default, the original administrator account cannot be locked out. This applies only to the original administrator (SID 500), even if that account is renamed.
Linux
Usually implemented via PAM Tally.
grep tally /etc/pam.d/*; grep tally /etc/pam.conf
Tip
Reset the number of failed password attempts using faillog -r -u [login_name]