Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Asset Information Management

TABLE OF CONTENTS

Account Lockout Policy

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMay 10, 2023
  • 2 minute read

As a general security measure, most systems will use a variety of measures to limit the ability of an attacker to use automated and/or fraudulent methods to gain unauthorised access. Examples of these mechanisms include:

  • Rate limiting login attempts.

  • Limiting the number of failed attempts that can be made on a single login before the account is disabled, either temporarily, or until manually re-enabled.

  • Geo-bounding logins.

  • CAPTCHAs.

This section is intended to cover the recommended configuration of Windows account lockout policy. It is intended for a user familiar with Windows domain configuration.

Note: The policy GPO (Group Policy Object) to be modified is dependent on the domain configuration and the policies in place for administration of the domain. Some domains may require the Default Domain GPO to be modified, some configuration dependent policies. In particular, if the settings are to apply to a subset of the domain users, these settings will need to be made on an appropriate additional GPO. The settings to be modified are the same in both cases. If multiple GPOs are in use, make sure the precedence is set such that the account policies described are in effect.

The administrator must give careful consideration to appropriate values for the environment being managed. For example, on a system in which any user may make access attempts, setting the lockout duration to 0 (and hence requiring manual intervention to unlock a user) opens that system to denial of service attacks. The documentation referenced below provides a fuller discussion of these issues.

For a full discussion of account policies, refer to http://technet.microsoft.com/en-us/library/hh125920%28v=ws.10%29.aspx.

Through the UI:

  1. From the Administrative Tools, open the Group Policy Management console.

  2. Expand the domain being managed.

  3. Expand Group Policy Objects.

  4. Select the GPO to edit, or create a new GPO as appropriate.

  5. Right-click on the GPO and select Edit. The GPO will open in the Group Policy Management Editor.

  6. Expand Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, and select Account Lockout Policy.

  7. Set the Account lockout duration, Account lockout threshold and Reset account lockout counter after settings to values appropriate for your organization.

  8. Exit the Group Policy Management Editor.

  9. If a GPO other than the default has been edited, make sure that it is linked, applies to the appropriate users and groups (security filtering), and is in the correct link location.

  10. The policy modifications will take effect immediately, see below:

A new policy has been created, applying only to the PortalUsers security group. It has been linked to the domain and (not shown) placed above the Default Domain Policy in the link order. Accounts for these users will lockout after 5 failed attempts for 30 minutes, resetting the lockout counter after 30 minutes.

Through the Command Line:

PowerShell automation of group policy is limited. Editing GPO objects currently requires additional software, such as https://sdmsoftware.com/group-policy-management-products/group-policy-automation-engine/.

Related Links
TitleResults for “How to create a CRG?”Also Available in