Account lockout policy or PAM configuration is generally not set by default in the guest. In order to enforce a rate limit on the login attempts using guest authentication, configure native Windows account lockout policy in Windows guest or configure PAM to lock user accounts in Linux guest.
Windows:
The account lockout policy in the Active Directory domain locks a user account automatically if a specified number of login attempts have failed for the user account. For more details, see
Microsoft Article
Steps for setting account lockout policy
- Install Group Policy Management Tools if not done already.
Windows 10 Version 1809 and higher
- Right-click the Start button and choose Settings > Apps > Optional features > Add feature.
- Select RSAT: Group Policy Management Tools.
- Select Install.
- It should eventually appear as an option under Start > Windows Administrative Tools.
Windows 8 and Windows 10 Version 1803 and lower
- Right-click the Start button and choose Control Panel > Programs.
- From the Programs and Features section, select Turn Windows features on or off.
- Scroll down and expand the Remote Server Administration Tools section.
- Expand Feature Administration Tools.
- Ensure that Group Policy Management Tools is checked, then select OK.
- You should now have an option for Administrative Tools on the Start menu. From there, select the Group Policy tool needed.
- Configure Account Lockout Policy in the Active Directory.
- Run the Group Policy Management console (gpmc.msc) or go to Start > Windows Administrative Tools > Group Policy Management.
- Expand the domain name, and find the GPO called Default Domain Policy. Right-click and select Edit.
- In the Group Policy Editor, go to the section Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
- Set the policy Reset account lockout counter after — this parameter sets the number of minutes after which the counter of failed authorization attempts is reset to 0 (1 to 99999).
- Set the policy Account lockout threshold — the number of incorrect password attempts, after which the Windows user account will be blocked (0 to 999). User accounts are never locked if this value is set to 0.
- Set the policy Account lockout duration — Active Directory user account lockout time in minutes (0 to 99999). If a value of 0 is specified, the user accounts will be locked until the administrator manually unlocks the locked accounts.
Note: After making changes to the Default Domain Policy, it takes up to 2 hours to apply the new Group Policy settings to the domain controllers and computers, or the policy can be updated on the domain controllers manually using the
gpupdate command.
Account Lockout Auditing
Windows account lockout affects all the services. To track which process/service locked the user account, Account Lockout audit events can be enabled:
- In Group Policy Management Editor console, Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff, enable success and failure audit events for Audit Account Lockout.
- Check the Account Lockout event with ID 4625 in Computer Management > System Tools > Event Viewer > Windows Logs > Security.
Linux
Linux distributions using pam_faillock module (RHEL, CentOS, Fedora etc.)
User account can be locked for a pre-set amount of time after the specified number of failed login attempts using
pam_faillock module.
Example
/etc/pam.d/vmtoolsd file with
pam_faillock config highlighted in bold text:
auth required pam_shells.so
auth required pam_faillock.so preauth even_deny_root deny=3 unlock_time=60
auth sufficient pam_unix.so shadow
auth required pam_unix_auth.so shadow
auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=60
account required pam_shells.so
account sufficient pam_unix.so
account required pam_unix_acct.so
account required pam_faillock.soWhere:
- preauth –> Module to be called before the modules which ask for the user authentication.
- authfail –> Module to be called after the modules which determine the authentication has failed.
- authfail –> Module to be called after the modules which determine the authentication has failed.
- unlock_time=60 –> Keep the account locked for 60 seconds. If this option is not used, the default value is 600 (10 minutes). “unlock_time=never" will cause the account to be locked forever until reset manually by a system administrator
- even_deny_root –> Lock the root user account as well after specified number of incorrect login attempts.
- root_unlock_time=60 –> Keep the root user account locked for 60 seconds after specified number of failed login attempts. “root_unlock_time=never" will cause the account to be locked forever until reset manually by a system administrator. If this option is not specified, the value is the same as the unlock_time option.
Please refer Linux man pages for further details about
pam_faillock.so and
faillock command.
Linux distributions using pam_tally2 module (SLES, Ubuntu, Debian etc.)
User account can be locked for a pre-set amount of time after the specified number of failed login attempts using
pam_tally2 module.
Add a line like below at the beginning of
/etc/pam.d/vmtoolsd file:
auth required pam_tally2.so onerr=fail deny=3 unlock_time=60 audit even_deny_root root_unlock_time=60Where:
- onerr=fail –> In case of error issue a failure.
- deny=3 –> Lock the account after 3 unsuccessful login attempts.
- unlock_time=60 –> Keep the account locked for 60 seconds. If this option is not used, the user account is locked until reset manually by a system administrator.
- audit –> Enable audit logs for user login attempt in secure log file.
- even_deny_root –> Lock the root user account as well after specified number of incorrect login attempts.
- root_unlock_time=60 –> Keep the root user account locked for 60 seconds after specified number of failed login attempts. “root_unlock_time=never" will cause the account to be locked forever until reset manually by a system administrator. If this option is not used, the value is the same as the unlock_time option.
Please refer Linux man pages for further details about
pam_tally2.so and
pam_tally2 command.
Note: These PAM configurations are provided as examples only. Newer PAM versions might add or remove some settings. Therefore, you may have to adjust these example configurations based on the PAM version on your system and your account locking requirements.