Microsoft KB Archive/816118

= How to configure remote access client account lockout in Windows Server 2003 =

Article ID: 816118

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



IN THIS TASK

 * SUMMARY
 * Configure Remote Access Client Account Lockout Feature
 * Enable Remote Access Client Account Lockout
 * Manually Unlock Remote Access Client Account Lockout
 * REFERENCES



SUMMARY
This step-by-step article describes how to configure the remote access client account lockout feature. Remote access clients include direct dial-in and virtual private network (VPN) clients.

You can use the remote access account lockout feature to specify how many times a remote access authentication has to fail against a valid user account before the user is denied access. An attacker can try to access an organization through remote access by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the attacker sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases.

The advantage of activating account lockout is that brute force attacks, such as a dictionary attack, are unlikely to be successful because statistically at least, the account is locked out long before a randomly issued password is likely to be correct. Note that an attacker can still create a denial of service condition that intentionally locks out user accounts.

back to the top

Configure Remote Access Client Account Lockout Feature
The remote access account lockout feature is managed separately from the account lockout settings that are maintained in Active Directory Users and Computers. Remote access lockout settings are controlled by manually editing the registry. Note that these settings do not distinguish between a legitimate user who mistypes a password and an attacker that is trying to &quot;crack&quot; an account.

Remote access server administrators control two features of remote access lockout:
 * The number of failed attempts before future attempts are denied.
 * How frequently the failed attempts counter is reset.

If you use Microsoft Windows Authentication on the remote access server, configure the registry on the remote access server. If you use RADIUS for remote access authentication, configure the registry on the Internet Authentication Server (IAS).

back to the top

Activate Remote Access Client Account Lockout
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The failed attempts counter is periodically reset to zero (0). If an account is locked out after the maximum number of failed attempts, the failed attempts counter is automatically reset to zero after the reset time. To activate remote access client account lockout and reset time, follow these steps:  Click Start, click Run, type regedit in the Open box, and then press ENTER. Locate and then click the following registry key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

 Double-click the MaxDenials value.

The default value is zero, which indicates that account lockout is turned off. Type the number of failed attempts before you want the account to be locked out. Click OK. Double-click the ResetTime (mins) value.

The default value is 0xb40 which is hexadecimal for 2,880 minutes (two days). Modify this value to meet your network security requirements. Click OK. Quit Registry Editor.</li></ol>

back to the top

Manually Unlock a Remote Access Client
If the account is locked out, the user can try to log on again after the lockout timer has run out, or you can delete the  value in the following registry key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

registry key. To manually unlock an account, follow these steps: <ol> Click Start, click Run, type regedit in the Open box, and then press ENTER.</li> Locate and then click the following registry key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

</li> Find the  value, and then delete the entry.</li> Quit Registry Editor.</li> Test the account to confirm that it is no longer locked out.</li></ol>

back to the top