none
is it best practice to use account lockout policy

    Question

  • Windows Server 2008 r2 (will be moving to 2012 r2)

    since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.

    my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.

    Thursday, March 26, 2015 6:56 AM

Answers

  • since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.

    my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.

    account lockout is generally considered un-necessary if you have implemented a very strong password complexity/history policy.

    There are many discussions on the topic of password/passphrase "strength", and it's important to consider the various factors involved, and, how they affect your organisation's view of "security".

    I would say that 8 chars is not very strong. You should also consider if password aging/expiry is a useful control at all.

    Since this forum is related to Group Policy, and, password/security is really quite a separate topic, you should consider the DS forum or the security forum, or separate research or consulting services, to get a broad understanding of the things to consider for your particular requirements/scenario.

    Other considerations include any security standards which can be useful reading to understand the nature of the topic (e.g. PCI DSS, HIPAA, FIPS, etc)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Reno Mardo Thursday, March 26, 2015 9:02 AM
    Thursday, March 26, 2015 8:38 AM

All replies

  • It's normal use password policy and users get used to write their password correctly and strongpassword policy is no exception in this world, maybe it is necessary.
    Thursday, March 26, 2015 7:18 AM
  • since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.

    my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.

    account lockout is generally considered un-necessary if you have implemented a very strong password complexity/history policy.

    There are many discussions on the topic of password/passphrase "strength", and it's important to consider the various factors involved, and, how they affect your organisation's view of "security".

    I would say that 8 chars is not very strong. You should also consider if password aging/expiry is a useful control at all.

    Since this forum is related to Group Policy, and, password/security is really quite a separate topic, you should consider the DS forum or the security forum, or separate research or consulting services, to get a broad understanding of the things to consider for your particular requirements/scenario.

    Other considerations include any security standards which can be useful reading to understand the nature of the topic (e.g. PCI DSS, HIPAA, FIPS, etc)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Reno Mardo Thursday, March 26, 2015 9:02 AM
    Thursday, March 26, 2015 8:38 AM
  • > account lockout is generally considered un-necessary if you have
    > implemented a very strong password complexity/history policy.
     
    I partially agree :)
     
    In my humble opinion, min PW Length should be set to 14, expiration 180
    days. Lockout count 5 or 10 and lockout reset 5 minutes. You "should"
    set a lockout duration, but it should automatically re-enable the
    account within a reasonable amount of time.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, March 26, 2015 10:39 AM