Configure Account Lockout Policies
The “Blocking Threshold” policy sets the number of login attempts after which the account will be blocked. If you decide to use account lockout, you need to set a value in this field to prevent unauthorized entry, but leave a sufficient number of attempts for users who have difficulty accessing their accounts
The main reason that users cannot access their account the first time is because they forgot their password. In this case, they may need several attempts to log in. Workgroup users may also have problems accessing a remote system in which their current password does not match the expected remote system.
If this happens, several incorrect login attempts can be recorded by the remote system before the user can enter the correct password. The reason is that Windows 2000 may try to automatically log on to the remote system. In a domain environment, this will not happen, thanks to the "Single Entry" function.
You can set the lock threshold to any value from 0 to 999. The default lock threshold is set to 0, which means that the account will not be blocked due to incorrect login attempts. Any other value sets a specific blocking threshold. Remember that the higher the lock threshold, the greater the risk that a hacker can gain access to your system. Acceptable values for this threshold are between 7 and 15. This is large enough to rule out a user error and small enough to scare away hackers.
Account Lock Duration
If the lock threshold is exceeded, the “Account Lock” policy sets its duration. You can set the appropriate value using a value from 1 to 99.999 minutes, or for an unlimited time by setting this parameter to 0.
The most secure policy is to set an unlimited blocking time. In this case, only the administrator can unlock the account. This will prevent hackers from trying to gain access to the system and force users whose accounts are locked to resort to administrator help, which in itself is a good idea. After talking with the user, you can find out what he is doing wrong and help him avoid problems.
Tip. If the account is locked, refer to the Properties dialog box for this account in the Active Directory snap-in. Users and computers. Click on the Account tab and uncheck the box “Account is locked”. This will unlock the account.
Reset lock counter after
Each time a failed login attempt is made, Windows 2000 increases the threshold value, which tracks the number of failed login attempts. The policy “Reset lock counter after” determines how long the value of the lock threshold is stored. The account lockout threshold counter is reset in one of two ways. If the user logs on successfully, the threshold counter is reset. If the timeout period for the "Reset lock counter after" policy after the last failed login attempt has expired, the counter is also reset.
By default, the threshold is kept for one minute, but you can set any value from 1 to 99.999 minutes. As with the Account Lockout Threshold, you must select a value that is in balance between security needs and user needs. A suitable value is in the range of one to two hours. This waiting period should be long enough to force crackers to wait longer than they would like before a new attempt to gain access to the account.
Note. Unsuccessful attempts to enter a workstation through a password protected screensaver do not increase the value of the blocking threshold. Also, if you block a server or workstation using CtrlAltDelete, unsuccessful login attempts through the Unlock computer window will not be taken into account.
Configure Kerberos Policies
Kerberos version 5 is the primary authentication mechanism used in an Active Directory domain. Kerberos uses service tickets and user tickets to identify users and network services. As you might imagine, service tickets are used by Windows 2000 service processes, and user tickets are used by user processes. Tickets contain encrypted data confirming the authenticity of the user or service.
You can control the duration of the ticket, its renewal and application using the following policies: