Bad logon counter reset (Windows)

Module: Login Parameters

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check reports a problem when the bad logon lockout counter can be reset to zero before the time that is specified in your policy has elapsed.

The following table lists the error messages for the check.

Table: Error messages for Bad logon counter reset

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_COUNTER_TIME_TOO_LOW

Category: Policy Compliance

  • Windows 2000 (105233)

  • Windows 2003 (205233)

  • Windows 2008 (248233)

  • Windows Vista (228233)

  • Windows XP (200233)

Title: Counter reset time too low

Description:The bad logon counter reset time is shorter than the time specified in your policy. Logon attempts to a locked out account may resume too soon. This increases the chances of a successful brute force logon attack. Set the bad logon counter reset time to at least 20 minutes.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [Reset time: %s; expected: %s]

String ID: ESM_ACCOUNT_LOCKOUT_DISABLED

Category: Policy Compliance

  • Windows 2000 (105234)

  • Windows 2003 (205234)

  • Windows 2008 (248234)

  • Windows Vista (228234)

  • Windows XP (200234)

Title: Account lockout is disabled

Description:The account lockout function is disabled. Accounts will not be locked out after any number of bad logon attempts and are vunerable to brute force logon attacks.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]