Enabling Account Lock Out after Failed OWA Login

To better secure your network it is advised that you enable account lock outs after a certain number of failed logon attempts. This is especially important with a public facing OWA server. Not configuring an account lock out policy would leave your network vulnerable to dictionary attacks, while allowing the attackers to have unlimited guesses at the users password.

Group Policy Changes

The account lock out settings are located in a Group Policy Object. In order to make a change to the default setting the user will require Group Policy Administrator rights. The following steps will need to be completed on a server that is a Domain Controller.

1. Start\Administrative Tools\Group Policy Editor
2. Select and Right Click the 'Default Domain Policy' (Note: this can be applied to other policies as well)
3. Click Edit
4. Computer Configuration\Policies\ Windows settings\Security Settings\Account Policies\Account Lockout Policy
5. Change the default values for 'Account Lockout Duration', 'Account Lockout Threshold', 'Reset Account Lockout Counter AFter' to those which meet your local security policy. It is considered best practice to set all of these to 5.

Definitions:

Account lockout duration

This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.

If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.

Account Lockout Threshold

This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.

Default: 0.

Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.

If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.