How to prevent account lockout denial of service(DoS) attack?

Measures to mitigate denial of service(DOS) by optimizing Account Lockout and Password Policy Settings:

To prevent account lockout denial of service, first we have to configure the account lockout and password policy settings in a balanced manner.

Configure account lockout and password policies in the default domain policy. This helps in avoiding conflicts and unexpected policy settings.

In account lockout policy, set a higher value to the "Account lockout threshold". False lockouts can occur if you set the "Account lockout threshold" lower than the default value of 10. This is because users and programs can retry bad passwords frequently enough to lock out the user account. This adds to administrative costs. These costs include users' work affected due to account lockout and the valuable time spent in solving the issue by the helpdesk professional.

Recommended Account Lockout Policy:

Security category Account lockout settings Cost
Threshold Observation window Lockout Duration
Low N/A N/A N/A Low
Medium 10 30 30 Medium
High 10 30 Infinite/0 High

Recommended Password Policy:

Security category Password policy settings Cost
Password history Maximum password age Minimum password age Minimum password length Complexity
Low 3 42 0 0 Disabled Low
Medium 24 42 1 7 Enabled Medium
High 24 42 1 8 Enabled High

Measures to mitigate account lockout denial of service (DOS) from External Networks:

To protect your business network from account lockout denial of service by service attacks and dictionary attacks, you should block the crucial ports on your routers and firewalls.

To prevent the user accounts in your enterprise from account lockout denial of service, all user accounts should have a strong and unique password. Most essentially administrator accounts should have a long, complex password and you should change the password regularly.

Make sure that, all of your servers are up-to-date with current versions of antivirus software, firewall software, and Windows security patches.