Check or Attack Name: lockout

The lockout threshold is greater than the security policy requires. This situation allows an attacker to successfully attempt a brute force attack on any account. The lockout period should not be too long, or an attacker can use the lockout period in a denial of service attack.

Set the Lockout After n Bad Logins value so that it equals or is less than the value in the current policy.

To change an account lockout count, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policies menu, select Account to display the Account Policy dialog box.
3. Enable Account Lockout.
4. Set the Lockout After n bad logon attempts to a value that is less than or equal to the value in the current policy.
5. Click OK.