Lockdown Lab #8 CRITICAL Windows Server

Enforce account lockout policy

/ Daily hardening tip
Written by Shimi Cohen
SCW Lockdown Lab windowsidentity
Enforce account lockout policy

Brute-force attacks against user accounts are not sophisticated, but they are incredibly effective. If your Windows Servers aren’t locking accounts, you’re essentially providing an infinite guessing game for every password in your domain.

This is a fundamental control, yet I still see environments where it’s misconfigured or missing entirely. Five failed attempts, 30-minute lockout – that’s the sweet spot. It’s enough to deter automated attacks without locking out legitimate users due to a few typos.

It’s simple to implement and massively reduces your attack surface. Go configure this now:

net accounts /lockoutthreshold:5 net accounts /lockoutduration:30 net accounts /lockoutwindow:30

Don’t leave the front door wide open when a simple lock will do.

The fix

# PowerShell (GPO or local policy)

net accounts /lockoutthreshold:5

net accounts /lockoutduration:30

net accounts /lockoutwindow:30

Reference: CIS Windows Server Benchmark 1.2

Mark this as done

Open the interactive hardening checklist and tick this off in your environment.

Open interactive checklist →

Related Posts

Rename and disable built-in Administrator

If you’re still running default Administrator accounts on your Windows Servers, you’re practically handing attackers a key. This isn't theoretical; tools like Mimikatz and CrackMapExec...

lockdown-labhardeningwindowsidentity
/Shimi Cohen

Lockdown Lab is a daily hardening series — one practical, vendor-specific check published across the website, LinkedIn, and Telegram.

Browse all Lockdown Lab posts →  ·  Full hardening matrix →  ·  Telegram channel →