NPS: Account Lockout
Applies To: Windows Server 2008, Windows Server 2008 R2
You can use remote access account lockout to specify how many times a network access authentication attempt fails against a valid user account before the user is denied access. Remote access account lockout is especially important for remote access virtual private network (VPN) connections over the Internet. An attacker on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the attacker sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases.
Remote access account lockout settings are universally applied to connection requests. When you configure remote access account lockout with a MaxDenials value other than 0, Network Policy Server (NPS) uses that lockout setting when evaluating connection requests from all Remote Authentication Dial-In User Service (RADIUS) clients regardless of type. This includes connection requests from 802.1X authenticating switches and wireless access points, Terminal Services Gateway (TS Gateway) servers, and Routing and Remote Access service (RRAS) servers configured as VPN and dial-up servers.
When remote access account lockout is enabled, a dictionary attack is thwarted after a specified number of failed attempts. As the network administrator, you must decide on two remote access account lockout variables:
The number of failed attempts before future attempts are denied.
After each failed attempt, a failed attempts counter for the user account is incremented. If the user account’s failed attempts counter reaches the configured maximum, future attempts to connect are denied.
A successful authentication resets the failed attempts counter when its value is less than the configured maximum. In other words, the failed attempts counter does not accumulate beyond a successful authentication.
The frequency with which the failed attempts counter is reset.
The failed attempts counter is periodically reset to 0. If an account is locked out after the maximum number of failed attempts, the failed attempts counter is automatically reset to 0 after the reset time.
If you’re using RRAS and the RRAS server is configured for Windows Authentication, modify the registry on the RRAS server. If the RRAS server is configured for RADIUS authentication, modify the registry on the NPS server.
Enable the remote access account lockout feature by changing the following settings in the registry on the computer that provides authentication services for connection requests.
Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
To enable remote access account lockout
Set the MaxDenials entry in the registry to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out.
By default, MaxDenials is set to 0, which means that remote access account lockout is disabled.
To modify the amount of time before the failed attempts counter is reset
Set the ResetTime (mins) entry in the registry to the required number of minutes.
By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours).
To manually reset a user account that has been locked out before the failed attempts counter is automatically reset
Delete the following registry entry that corresponds to the user’s account name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted.