You are the system administrator for a company that runs several Windows Server hosts. Your security monitoring tool has generated an alert showing dozens of failed logon attempts for the same domain user account coming from multiple file, web, and application servers. No attempts have succeeded so far. What is the MOST appropriate next step to take immediately?
The safest initial containment action is to disable (lock) the suspected user account. This immediately blocks any further logon attempts-successful or not-while you investigate whether the credentials have been guessed, leaked, or otherwise compromised. Resetting the password before you understand the scope could allow an attacker who is already authenticated to continue working, and it does not stop additional brute-force attempts. Deleting the account is unnecessarily destructive and may impede forensic analysis. Shutting down multiple production servers would cause needless downtime and is not proportional when the threat can be contained at the account level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to disable a user account?
Open an interactive chat with Bash
Why is it important to investigate failed login attempts?
Open an interactive chat with Bash
What are the risks of not disabling the user account immediately?