Account lockout policy on failed logins
Demonstrate that account lockout mechanisms are consistently enforced across all authentication systems to prevent unlimited failed login attempts and mitigate brute-force password attacks.
Description
What this control does
Account lockout policies automatically disable user accounts after a specified number of consecutive failed authentication attempts within a defined time window. This control prevents attackers from conducting unlimited password guessing or brute-force attacks against user accounts by enforcing a temporary or permanent lockout that requires administrative intervention or a time-based reset. Effective implementation balances security requirements against operational concerns such as user productivity and helpdesk burden, typically enforcing lockout after 3-10 failed attempts with automated unlock after 15-30 minutes or requiring administrator action.
Control objective
What auditing this proves
Demonstrate that account lockout mechanisms are consistently enforced across all authentication systems to prevent unlimited failed login attempts and mitigate brute-force password attacks.
Associated risks
Risks this control addresses
- Unlimited brute-force password attacks against user accounts due to absence of login attempt throttling
- Credential stuffing attacks exploiting reused passwords from external breaches without detection or blocking
- Automated password spraying campaigns systematically testing common passwords across all user accounts
- Prolonged unauthorized access attempts going undetected due to lack of failed login monitoring and alerting
- Denial of service through intentional account lockouts if lockout thresholds are too permissive or lockout duration excessive
- Inconsistent lockout enforcement across multiple authentication systems creating exploitable gaps in perimeter defenses
- Account enumeration attacks leveraging differential responses between valid and invalid usernames during lockout events
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Inventory all systems and applications requiring user authentication, including domain controllers, VPNs, web applications, database servers, and privileged access management solutions.
- Retrieve and review documented account lockout policy standards, including required threshold values, lockout duration, observation windows, and administrative unlock procedures.
- Export account lockout configuration settings from Active Directory Group Policy Objects, authentication servers, and application security configurations.
- Select a representative sample of 10-15 systems across critical categories (domain, network access, applications, databases) for configuration validation.
- For each sampled system, verify that lockout threshold, duration, and reset counter settings align with organizational policy requirements.
- Conduct controlled testing by intentionally submitting incorrect credentials on test accounts across sampled systems to validate lockout enforcement and timing.
- Review authentication logs and security monitoring alerts for recent legitimate lockout events to confirm detection, logging, and alerting mechanisms are operational.
- Interview IT helpdesk staff to verify procedures for validating user identity before performing manual account unlocks and assess lockout-related ticket volume trends.
Where this control is tested
Audit programs including this control
Remote Access and Credential Exposure Audit
Threat actors exploit weak VPN configurations and stolen or weakly protected credentials to gain initial access, then deploy…
Initial Access Broker Sale — Audit Program
Initial-access brokers selling administrative or remote access to a victim organisation (VPN, RDP, Exchange OWA, AWS console, AD…