Allowing users to remotely accessing a network without compromising security is important and there are several things you can do ensure this. One feature you can take advantage of is remote access account lockout. This is a separate from the user account lockout option that is configured within a password policy.

Remote access account lockout can be used by a network administrator to configure how many failed logon attempts are permitted before a remote access user’s account is locked out. This feature is particularly useful if you are using a remote access VPN to provide users with remote access to the network. It reduces the chances of an attacker gaining access to your network by attempting to guess the password associated with a user account.

Two things must be decided upon when using remote access account lockout. First of all you must decide how many failed logon attempts will be allowed before the account is locked out. Second, you must configure how often the failed attempts counter is reset to 0. For example, if the number of failed logon attempts allowed is 4, a user account will be locked out once the number of failed logons exceeds this number. The reset counter then determines how long before the number of failed logon attempts is set back to 0.

This feature is not enabled by default. In order to use it, you must edit the Windows registry. The remote access account lockout feature is enabled using the registry. To enable remote access account lockout you must change the MaxDenial value found under the HKEY_Local_Machine\System\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout subkey.

To enable configure the amount of time that must pass before the failed attempts counter is reset, edit the ResetTime value found under the same registry subkey. The default value for the ResetTime is 48 hours or 2,880 minutes.

An important point to keep in mind if you are planning to implement the remote access account lockout feature is that it has to be enabled on the server that is authenticating the remote access users. This means ff remote access servers are configured as RADIUS clients, you have to edit the registry of the IAS server responsible for authentication remote access clients. If no RADIUS server is used, enable this feature one each remote access server.