Account lockout threshold (Windows)

Module: Login Parameters

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check verifies that account lockout is enabled and set to lock out an account after a specified maximum number of bad logon attempts.

The following table lists the error messages for the check.

Table: Error messages for Account lockout threshold

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESM_FAILED_ATTEMPTS_TOO_LOW Category: Policy Compliance	Windows 2000 (105230) Windows 2003 (205230) Windows 2008 (248230) Windows Vista (228230) Windows XP (200230)	Title: Number of bad logon attempts is set too low Description:The number of bad logon attempts allowed before the system locks out an account is lower than the number specified in the current policy. This lower setting can cause unnecessary account lockouts.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [Attempts allowed: %s; expected: %s]
String ID: ESM_ACCOUNT_LOCKOUT_DISABLED Category: Policy Compliance	Windows 2000 (105234) Windows 2003 (205234) Windows 2008 (248234) Windows Vista (228234) Windows XP (200234)	Title: Account lockout is disabled Description:The account lockout function is disabled. Accounts will not be locked out after any number of bad logon attempts and are vunerable to brute force logon attacks.	Severity: red-4 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESM_FAILED_ATTEMPTS_TOO_HIGH Category: Policy Compliance	Windows 2000 (105235) Windows 2003 (205235) Windows 2008 (248235) Windows Vista (228235) Windows XP (200235)	Title: Number of bad logon attempts is higher than your policy Description:The number of bad logon attempts allowed before the system locks out an account is higher than the number specified in your policy. This increases the chances of a successful brute force logon attack.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [Attempts allowed: %s; expected: %s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_FAILED_ATTEMPTS_TOO_LOW

Category: Policy Compliance

Windows 2000 (105230)
Windows 2003 (205230)
Windows 2008 (248230)
Windows Vista (228230)
Windows XP (200230)

Title: Number of bad logon attempts is set too low

Description:The number of bad logon attempts allowed before the system locks out an account is lower than the number specified in the current policy. This lower setting can cause unnecessary account lockouts.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [Attempts allowed: %s; expected: %s]

String ID: ESM_ACCOUNT_LOCKOUT_DISABLED

Category: Policy Compliance

Windows 2000 (105234)
Windows 2003 (205234)
Windows 2008 (248234)
Windows Vista (228234)
Windows XP (200234)

Title: Account lockout is disabled

Description:The account lockout function is disabled. Accounts will not be locked out after any number of bad logon attempts and are vunerable to brute force logon attacks.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESM_FAILED_ATTEMPTS_TOO_HIGH

Category: Policy Compliance

Windows 2000 (105235)
Windows 2003 (205235)
Windows 2008 (248235)
Windows Vista (228235)
Windows XP (200235)

Title: Number of bad logon attempts is higher than your policy

Description:The number of bad logon attempts allowed before the system locks out an account is higher than the number specified in your policy. This increases the chances of a successful brute force logon attack.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [Attempts allowed: %s; expected: %s]