Remote Access Account Lockout Considerations

Published: 04th November 2010
Views: N/A

This feature specifies how many times a remote access CompTIA authentication attempt against a valid RAS client account can fail before the account is locked out. The remote access account lockout feature can be used to protect accounts against a dictionary or brute-force password-cracking attack. In these types of attacks, hundreds of thousands of VPN connection attempts are sent across the network in an attempt to compromise a user account.

If smart cards are used, lockout is controlled by the design of the smart card. The manufacturer determines how many times a user can enter an incorrect PIN before lock?out. Smart-card lockout recovery might require replacement of the smart card.

Setting remote access account lockout has no impact on the setting in the Group Policy Account lockout policy, nor does a setting in Group Policy affect the remote access account lockout feature. Instead, you must edit the registry to turn on the feature and edit the registry to unlock locked accounts. Before deciding to set account lockout, you should consider A+ certification the following points:
Setting lockout to apply after a specified number of attempts will foil password cracking attacks but will also lock out legitimate users until the lockout is reset.
A registry modification is required.The modification is made on the RAS server if Windows authentication is used.The modification is made on the IAS server if RADIUS authentication is used.The account lockout feature is not related to the Account Lockout Policy of Windows computers. The Account Lockout Policy works only for LAN connections,while the account lockout feature works only with remote connection attempts.

The /Account/Lockout subkey is added to the registry when the Routing and Remote Access or Internet Authentication Service is installed on the Windows Server 2003 computer. The subkey is located at:
To enable account lockout, set the MaxDen/a/s value to the number of failed attempts that are allowed before lockout will occur. The number of failed attempts is reset according to the ResetTime value. Setting Network+ certification MaxDenials to zero disables remote account lockout.

Report this article Ask About This Article


Loading...
More to Explore