1
00:00:07,000 --> 00:00:14,200
In addition to password policies most organizations configure account lock out policies while password

2
00:00:14,200 --> 00:00:23,560
policies specify that users need to use secure passwords account lock out policies enable you to define

3
00:00:23,840 --> 00:00:25,990
where their accounts should be locked.

4
00:00:25,990 --> 00:00:33,700
If there are too many sign in attempts with individual passwords you can define dress codes for an account

5
00:00:33,700 --> 00:00:43,200
look out the duration of the lookout and a way to unlock accounts dress for an account lock out.

6
00:00:43,300 --> 00:00:51,880
Stipulate that accounts become disabled after a certain number of failed signing attempts during a certain

7
00:00:51,880 --> 00:00:54,310
time period account lock out.

8
00:00:54,310 --> 00:01:01,140
Policies help detect and prevent brute force attacks on account passwords.

9
00:01:01,180 --> 00:01:05,870
The following insurgents are available for account look out policies.

10
00:01:05,920 --> 00:01:13,420
The first certain account lock out duration you can define the number of minutes that will account that

11
00:01:13,420 --> 00:01:21,880
are locked account remains locked after the specified number of minutes the account unlocked automatically

12
00:01:22,180 --> 00:01:29,500
to specify that an administrator must unlock the account set the well year to zero.

13
00:01:29,500 --> 00:01:38,170
Consider using fine grained password policies to require administrators to unlock high security accounts

14
00:01:38,440 --> 00:01:43,900
and then configure the sentence to 30 minutes for gnome normal users.

15
00:01:43,900 --> 00:01:47,770
The next set in his account logout dress code.

16
00:01:47,930 --> 00:01:55,870
This said and determines the number of failed sign in attempts that are allowed before a user account

17
00:01:55,870 --> 00:01:57,320
is locked out.

18
00:01:57,320 --> 00:02:02,310
I well you of zero means that the account is never locked out.

19
00:02:02,350 --> 00:02:10,870
You should serve this well too high enough to allow for mistyped passwords but low enough to ensure

20
00:02:10,870 --> 00:02:19,090
that the failure of brute force attempts to guess a password Commonweal use for this set and range from

21
00:02:19,270 --> 00:02:28,450
3 to 5 the next set in is reset account lock out counter after this determines how many minutes must

22
00:02:28,810 --> 00:02:36,160
elapse after a failed signing attempt before the signing encounter is reset to zero.

23
00:02:36,160 --> 00:02:44,530
This set in applies when a user has typed in a password incorrectly but the user has not exceeded the

24
00:02:44,580 --> 00:02:46,670
current lock out threshold.

25
00:02:46,720 --> 00:02:50,050
Consider a certain this relative to certain minutes.

26
00:02:50,050 --> 00:02:57,750
Most organizations implement account lock out policies to prevent attackers from using password guessing

27
00:02:57,790 --> 00:03:01,180
techniques to gain access to a network.

28
00:03:01,180 --> 00:03:09,400
Although this approach provides a level of security it also exposes your organization to DOS attack

29
00:03:09,630 --> 00:03:17,170
because it took a risk and runs groups to guess user password sound lock out old user accounts.

30
00:03:17,170 --> 00:03:22,800
This prevents the correct person from being able to access his or her account.

31
00:03:23,110 --> 00:03:31,010
If you choose not to implement account lock out policies it is critical that your monitor failed sign

32
00:03:31,090 --> 00:03:38,290
in a terms in real time to prevent attackers from taking advantage of this configuration.

33
00:03:38,290 --> 00:03:41,590
Next up we'll be talking about Gerber s policies.

34
00:03:41,590 --> 00:03:42,420
I'll see you there.