If you are a security minded individual you may have some concerns about a random person attempting to brute force your Windows login password. Working in an open environment, such as your typical office, leaves your PC vulnerable to this type of attack. While your co-workers aren’t generally nefarious, we’ve probably all experienced a prank or two related to our PC – say a random new wallpaper or home page!
Windows affords us the opportunity to lock-out an account for a duration of time after a determined amount of unsuccessful logins – a feature almost certainly existing to combat brute force attempts. When an account gets locked out temporarily, you are unable to log in even if you knew the password until the time period expires. This is excellent for when you’ve left the PC for a decent period of time but perhaps a field day for pranks if you just got up to get some coffee. You’ll need to decide if this makes sense in it’s entirety!
In a business environment you probably have the business or professional version of Windows, in which case you can use the Local Security Policy.
Launch Local Security Policy from the Start->Search box.
Navigate to Account Policies and then Account Lockout Policy.
In the right hand panel you can see that Account lockout duration and Account lockout threshold aren’t applicable or set.
To enable the policy, double click on Account lockout threshold. This is the number of times an incorrect guess can occur before the temporary lockout applies. In this example I’ve chosen a threshold of 3 – at which point Windows will prompt you to set the lockout duration and lockout counter. The default is 30 minutes and generally you want these values to be identical.
If you have the Home version of Windows, likely if you are unsure actually, then you don’t have the luxury of using a graphical interface such as Local Security Policy to adjust these parameters. Nevertheless, you can still accomplish the task by opening a Command Prompt with Administrative rights.
Execute the command net accounts. Notice the familiar terminology as above: lockout threshold, lockout duration, and lockout observation window.
To replicate what we did above issue the following commands:
- net accounts /lockoutthreshold:3
- net accounts /lockoutduration:30
- net accounts /lockoutwindow:30
You can verify everything was set correctly be looking at net accounts output a second time.
If you ever wish to change or otherwise revert just repeat the steps above with the updated options.
Be aware that this can enable a denial of service attack, just enter random passwords a few times to lock the victim’s account. For networked PCs, blocking the source of a large number of failed passwords works well, but be aware of the frequency that typos happen and users don’t check caps-lock.