Windows 10, Windows 7 - How to Create a Local Lockout Policy for Bad Password Attempts

Having a lockout policy in place for your computer will help protect against brute force password attacks and there are numerous reasons where someone would want to configure a lockout policy on a local, non-domain joined computer. You may have remote access configured so you can connect to your PC when you are away from home or the office. You may be hosting software that requires an outside connection or you simply may be just a security minded individual who wants an extra layer of security. Whatever the reason, it would be prudent to configure a lockout policy to help prevent against unauthorized intrusion.

All recent versions of Windows provide a built in mechanism for configuring a user account to be locked out due to too many bad password attempts which can be done through the Local Security Policy Editor.

To configure a lockout policy:

1. Launch the local policy editor by clicking the Win + R key, type in "secpol.msc", hit enter. Alternatively, in Win 10, you can also simply do a search for Local Security Policy.

2. Once the editor is launched, expand "Account Policies" and select "Account Lockout Policy".

3. Here, you will find three settings to edit. The first one is the "Account lockout threshold". This will allow you to set the amount of bad password attempts before the account is locked out. You will want to set this between 3 to 5 bad attempts. 

Next, you will likely want to configure the "Account lockout duration". This sets the amount of time the account will remain locked out for. Even setting it to five minutes should be enough to make it extremely difficult to brute force a password. Not configuring the setting will leave the account locked out until it is manually unlocked by another user account with administrator privileges. 

Finally, the "Reset account lockout after" setting lets you set a minimum number of minutes that must elapse after the failed logon attempt before the failed logon attempt counter is reset back to 0 bad logons. 

Click "Ok" once the values are set and now when someone tries to enter too many incorrect passwords, the account will be locked out per the settings you have configured. Do keep in mind that if the lockout timer setting is not configured, the account will remain locked until unlocked by an administrator. It is a good idea to have multiple accounts set up with the ones that are connecting remotely have lesser privileges than an administrator. 

For yet an additional layer of security, you may want to look into a address blocker like IPBan. It is a free Windows port of Fail2Ban that will block the IP address after detecting a brute force attack. Read more on it here: IPBan