Preventing Windows Accounts Being Bruteforced
Published: 23 January 2021 Last Updated: 05 July 2023
In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post - we'll cover some steps to harden these accounts.
The Observation Window
When configuring an account lockout threshold on a Domain another setting is suggested, the observation window. This setting effectively reduces the protection of the account lockout by setting a timer. For example, a lockout threshold of 5 and an observation window of 30 minutes has the impact of meaning that if a threat actor attempts 5 incorrect passwords within 30 minutes the account will lock - but four passwords would not cause it to lock.
Therefore, an attacker could attempt 4 passwords every 30 minutes - or 192 per account per day, without locking any accounts.