Measures to mitigate denial of service(DOS) by optimizing Account Lockout and Password Policy Settings:
To prevent account lockout denial of service, first we have to configure the account lockout and password policy settings in a balanced manner.
Configure account lockout and password policies in the default domain policy. This helps in avoiding conflicts and unexpected policy settings.
In account lockout policy, set a higher value to the "Account lockout threshold". False lockouts can occur if you set the "Account lockout threshold" lower than the default value of 10. This is because users and programs can retry bad passwords frequently enough to lock out the user account. This adds to administrative costs. These costs include users' work affected due to account lockout and the valuable time spent in solving the issue by the helpdesk professional.
| Security category | Account lockout settings | Cost | ||
|---|---|---|---|---|
| Threshold | Observation window | Lockout Duration | ||
| Low | N/A | N/A | N/A | Low |
| Medium | 10 | 30 | 30 | Medium |
| High | 10 | 30 | Infinite/0 | High |
| Security category | Password policy settings | Cost | ||||
|---|---|---|---|---|---|---|
| Password history | Maximum password age | Minimum password age | Minimum password length | Complexity | ||
| Low | 3 | 42 | 0 | 0 | Disabled | Low |
| Medium | 24 | 42 | 1 | 7 | Enabled | Medium |
| High | 24 | 42 | 1 | 8 | Enabled | High |
To protect your business network from account lockout denial of service by service attacks and dictionary attacks, you should block the crucial ports on your routers and firewalls.
To prevent the user accounts in your enterprise from account lockout denial of service, all user accounts should have a strong and unique password. Most essentially administrator accounts should have a long, complex password and you should change the password regularly.
Make sure that, all of your servers are up-to-date with current versions of antivirus software, firewall software, and Windows security patches.