Brute-force attacks against user accounts are not sophisticated, but they are incredibly effective. If your Windows Servers aren’t locking accounts, you’re essentially providing an infinite guessing game for every password in your domain.
This is a fundamental control, yet I still see environments where it’s misconfigured or missing entirely. Five failed attempts, 30-minute lockout – that’s the sweet spot. It’s enough to deter automated attacks without locking out legitimate users due to a few typos.
It’s simple to implement and massively reduces your attack surface. Go configure this now:
net accounts /lockoutthreshold:5 net accounts /lockoutduration:30 net accounts /lockoutwindow:30
Don’t leave the front door wide open when a simple lock will do.
The fix
# PowerShell (GPO or local policy)
net accounts /lockoutthreshold:5
net accounts /lockoutduration:30
net accounts /lockoutwindow:30
Reference: CIS Windows Server Benchmark 1.2