To increase security for our customers, we have introduced new options in PC Matic to set the Windows Account Lockout Threshold by default. This setting specifically deters multiple failed login attempts within a short period of time and can thwart brute force RDP attacks.
What is Account Lockout Threshold?
Account Lockout Threshold is a setting native to Windows that determines the number of failed login attempts that will cause a user account to be locked. The account will then remain locked until either manually reset or the number of minutes specified by the Observation setting has passed. This threshold is now automatically set by PC Matic and cannot be turned off. You can adjust the settings for each portion to fit your environment. The full threshold is made up of three different options.
- Account Lockout Threshold – The threshold determines the number of failed login attempts that can happen within the Account Lockout Duration before a users account is locked for the amount of time specified in Account Lockout Observation.
- Account Lockout Duration (minutes) – The duration specifies the time window that the failed login attempts must fall between in order to lock down the users’ account.
- Account Lockout Observation (minutes) – The observation specifies the amount of time that a users account will be locked if both criteria above are met, before being automatically unlocked. Available values range from 1 to 99,999 minutes. A value of 0 would require an administrator to explicitly unlock it.
Using the information above we can create an example with the PC Matic recommendations (Account Lockout Threshold: 10, Account Lockout Duration: 5, Account Lockout Observation: 5).
If a cybercriminal is attempting to determine the password to a users account by trial and error and fails 10 times within a 5-minute window beginning at the time of the first fail, that users account will be locked for 5 minutes and not allow any more login attempts.
So as you can see above, these values can be changed to give more leeway to users forgetting their login credentials on a normal basis, or more strict to keep cybercriminals locked out for longer periods of time with that lock occurring sooner in the brute force process.
Requirements
If Account Lockout Threshold is set to a number greater than 0, Account Lockout Observation must be set to a value greater than or equal to the value of Account Lockout Duration.
What is This Used to Defend Against?
This Windows setting can mainly be used to defend against Brute Force attacks by cybercriminals. During a brute force attack, hackers can theoretically guess thousands or even millions of passwords for any and all user accounts. Typically if successful, the attacker will then have access to the device via Remote Desktop Protocol and begin to manually carry out an attack. This could entail turning off antivirus to install malware or ransomware, stealing valuable information, or other common attacks.
What are PC Matic’s Recommended Settings?
PC Matic Strongly recommends at least using the recommended settings below to keep your devices secure from brute force attacks. In most cases, normal users will not fail their login 10 times during a 5-minute window meaning they will never see an inconvenience from this security setting. You can, however, make this setting much stricter if you’d like to lock login attempts down even more by using something similar to the high-security settings below.
PC Matic Recommended/Default Settings
- Account Lockout Threshold: 10
- Account Lockout Duration: 5
- Account Lockout Observation: 5
High-Security Settings
- Account Lockout Threshold: 5
- Account Lockout Duration: 2
- Account Lockout Observation: 5
