Implement account lockout after a set number of failed login attempts.
389-AC-004 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-AC-004 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-7 |
| DISA SRG | SRG-APP-000065 |
Rationale¶
Online brute-force and credential-stuffing attacks succeed by rapidly submitting large numbers of password guesses against a target account; without a lockout mechanism the attacker faces no rate limit beyond network throughput. Account lockout after three consecutive bind failures stops these attacks in their early stages, before a meaningful portion of the password space can be explored. This control activates the lockout engine (passwordLockout: on) and sets the failure threshold - both flags are required; the failure count stored in the policy has no effect if the engine is disabled. NIST AC-7 and DISA SRG-APP-000065 require automatic account disabling after a defined number of failed authentication attempts. See 389-AC-009 for the complementary controls that tune lockout duration and the failure-counter reset window; both controls must be applied together to form a complete lockout countermeasure.
Check¶
Verify that account lockout is enabled and the maximum failure count is set to 3 or fewer consecutive attempts.
dsconf <instance> pwpolicy get | grep -i -E "passwordlockout|passwordmaxfailure"
Expected: passwordLockout: on / passwordMaxFailure: 3
Remediation¶
Enable account lockout and set the maximum consecutive bind failure count to 3.
dsconf <instance> pwpolicy set --pwdlockout=on --pwdmaxfailures=3
References¶
Implementation Notes¶
Use --pwdmaxfailures (plural) - the singular form --pwdmaxfailure is not a valid flag and will produce an error. The failure counter is per-account and is incremented on every unsuccessful bind; it resets either after a successful bind or after the period configured by --pwdresetfailcount (see 389-AC-009). Locked accounts can be unlocked manually with dsidm <instance> user unlock <uid> or will be released automatically after the lockout duration expires (also configured in 389-AC-009). Service accounts and monitoring agents that authenticate via bind should have their IP addresses whitelisted or use a dedicated account with a subtree policy that has a higher or disabled lockout threshold to avoid operational disruption from monitoring-induced lock-outs.