Skip to main content
← All controls
AC-7 / A.5.17 / CIS-5.4 NIST SP 800-53 Rev 5

Account lockout / throttling configured

Demonstrate that account lockout and authentication throttling mechanisms are configured and enforced across all authentication systems to prevent automated credential attacks.

Description

What this control does

Account lockout and throttling controls prevent unauthorized access by automatically disabling or delaying authentication attempts after a defined number of consecutive failed login attempts. This control typically enforces a lockout threshold (e.g., 5-10 failed attempts), a lockout duration (e.g., 15-30 minutes or indefinite until administrator reset), and rate-limiting mechanisms that introduce delays between successive attempts. These mechanisms protect against brute-force password attacks, credential stuffing campaigns, and automated enumeration attacks targeting user accounts.

Control objective

What auditing this proves

Demonstrate that account lockout and authentication throttling mechanisms are configured and enforced across all authentication systems to prevent automated credential attacks.

Associated risks

Risks this control addresses

  • Brute-force password attacks successfully compromise user accounts through unlimited authentication attempts
  • Credential stuffing attacks leverage stolen username/password pairs from external breaches to gain unauthorized system access
  • Automated password spraying campaigns test common passwords against multiple accounts without detection
  • Account enumeration attacks identify valid usernames by analyzing authentication response timing or error messages
  • Service accounts and privileged accounts remain accessible to persistent automated attack tools
  • Distributed attacks from multiple IP addresses bypass per-source rate limits and exhaust authentication services
  • Lack of lockout duration allows attackers to resume attacks immediately after brief pauses

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's authentication and access control policy documents to identify documented lockout thresholds, durations, and throttling parameters
  2. Inventory all systems and applications that perform user authentication including web applications, VPNs, remote access gateways, operating systems, and databases
  3. Extract and review authentication configuration settings from each identified system including failed attempt thresholds, lockout duration values, and rate-limiting rules
  4. Select a representative sample of user account types (standard users, privileged accounts, service accounts) for testing across different authentication systems
  5. Perform controlled testing by deliberately entering incorrect credentials to trigger lockout mechanisms and measure the threshold count and lockout duration
  6. Review authentication logs and security information and event management (SIEM) data to verify that failed login attempts are logged and lockout events are recorded with timestamps
  7. Verify that lockout policies apply to all authentication methods including web interfaces, API endpoints, SSH/RDP sessions, and mobile applications
  8. Test or review documentation for administrator override and account unlock procedures to confirm secure unlock processes exist without bypassing security controls
Evidence required Collect configuration exports or screenshots showing lockout threshold, duration, and throttling settings from Active Directory Group Policy Objects, Linux PAM configuration files, application authentication modules, and cloud identity provider settings. Obtain authentication log excerpts demonstrating lockout events with timestamps, user identifiers, and failed attempt counts. Capture test results documenting controlled lockout trigger attempts and corresponding system responses including lockout activation and duration enforcement.
Pass criteria All in-scope authentication systems enforce account lockout after no more than 10 consecutive failed attempts with a minimum lockout duration of 15 minutes or administrator unlock requirement, and configuration evidence and test results confirm these settings are active and effective.

Where this control is tested

Audit programs including this control

Password Policy Quick Audit

Check your password rules against modern NIST guidance — length, rotation, complexity, password manager use.

6 controls · v1.0