From fe887186cd821dda6759aa04fd584a526df5f364 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 28 Sep 2020 09:27:17 +0200 Subject: [PATCH 1/2] Update account-lockout-threshold.md Added note. --- .../security-policy-settings/account-lockout-threshold.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 3db828212a..20f886d1ec 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -87,6 +87,9 @@ For more information about Windows security baseline recommendations for account This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +> [!NOTE] +> A lockout threshold policy will apply to both local member computer users and Domain Users, in order to allow mitigation of issues as described under "Vulnerability". The Built-In Administrator account however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot logon to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory). + ### Vulnerability Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed. From 2ad5f1b2418209f0e2e5c02010a041cffb54a2e8 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:07:15 +0200 Subject: [PATCH 2/2] Update windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../security-policy-settings/account-lockout-threshold.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 20f886d1ec..55f3b22031 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -88,7 +88,7 @@ For more information about Windows security baseline recommendations for account This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. > [!NOTE] -> A lockout threshold policy will apply to both local member computer users and Domain Users, in order to allow mitigation of issues as described under "Vulnerability". The Built-In Administrator account however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot logon to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory). +> A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory). ### Vulnerability