0

I recently hired a VPS with Windows Server 2016, and since I'm getting like 4-5 login attempts per minute to access it, I decided to create an account lockout policy:

  • Account lockout duration: 0
  • Account local threshold: 5 attemtps
  • Reset account local threshold after: 99.999

Nonetheless, those login attempts, specifying the same user, haven't stop. I even tried it myself. The used accounts are not being locked (looking at Users and Local Groups). Am I missing something?

SySc0d3r
  • 111
  • The only account ever hit hard is ‘administrator’. And you can’t apply a lock out policy to the administrator account for obvious reasons. What account are you testing with? Is it a local user account? A domain account? Is this a domain controller? Does the account exist at all? – Appleoddity Apr 23 '18 at 00:24
  • Locking out the user is something you just shouldn't do. If they are targeting a non-existent username it's pointless to lock out based on username. And if the targeted username exists you have just enabled a powerful DoS attack against your own server. Locking out based on IP address is better but has so many caveats that I would still recommend against it. The best defense is to choose credentials which cannot be brute forced. – kasperd Apr 24 '18 at 22:54

0 Answers0