domain admin account lockout best practice

Hi all,
I'm looking for input on best practice for the domain admin account for account lockout settings, specifically,

account lockout threshold
account lockout duration
reset account lockout after
LVL 2
ChiITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
there is no set in stone absolute best practice in this.
account lockout threshold     1 incorrect
account lockout duration       forever
reset account lockout after    never
This would work but be an administrative burden and impose user downtime while waiting for the administrator to reset the account

account lockout threshold       3 tries
account lockout duration         1 Hour
reset account lockout after       5 minutes

3 strikes your in the penalty box for 5 minutes
Microsoft advises setting this appropriately after a careful study of  your threat environment and the the business impact of a user simply mistyping their password vs a hacker trying to infiltrate into the network. Too strong and it could have a serious business impact (guess who gets fired over this) or too lax a policy which could give unauthorized access to network resources.
https://technet.microsoft.com/en-us/library/cc784090%28v=ws.10%29.aspx
ChiITAuthor Commented:
Hi David thank you. I was thinking about the administrator account specifically. If the threshold is set to 1 and it gets locked out until its unlocked with no reset, obviously that would not be good...any suggestions for the admin account?
David Johnson, CD, MVPOwnerCommented:
reset lockout after an hour
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

McKnifeCommented:
The recommendations we can give you might not fit. You have to find out what fits best on your own.
The domain admins should be very few persons, so have a meeting and together, choose how many attempts you think should produce a lockout. The difference between 2 or 10 is not much from a hackers perspective, by the way.
About the lockout duration: if there are other admins nearby, that can unlock your account for you - why not set it to quite a long time like some hours? If you are unsure there will be other admins around, set it to a few minutes. About "reset account lockout after" - if I mistype the pw, I will retry immediately - why would we care about this setting at all? So set it to a quite high amount of time, maybe an hour.
David AtkinTechnical DirectorCommented:
Personally I would recommend disabling the build in administrator account anyway and creating your own admin account with a more difficult/unusual username - It will be harder to guess.

With regards to the actual lockout policy, I'd have something like the below:

account lockout threshold  -  5 Incorrect  (Enough room for genuine error)
account lockout duration - 30 minutes
reset account lockout after - 5 minutes

As per the other comments though, you need to have a discussion with the other admins and identify what the best settings would be for you.  If you have multiple admin accounts then it might not be a problem to have the lockout threshold low and the duration high.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChiITAuthor Commented:
Thanks everyone, actually there is only 1 admin, though I'll take the advice about disabling the default admin and creating others, etc.
McKnifeCommented:
You could have split the points to honor everybody's effort.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.