A recent security audit found that the domain's password settings leave user accounts vulnerable to brute-force attacks. The server administrator must update Group Policy for standard user accounts so that weak-length passwords are rejected and repeated guessing quickly locks the account without creating excessive help-desk work. Which configuration BEST meets these goals?
Setting a minimum password length of 14 characters forces users to choose passwords that are long enough to make online brute-force attacks impractical, matching Microsoft and CIS hardening benchmarks. An account lockout threshold of 5 invalid logon attempts is within the CIS recommendation (5 or fewer) and provides a good balance between user typos and attack resistance. A 30-minute lockout duration is long enough to disrupt an automated attack while automatically restoring access for users without requiring an administrator unlock.
Other options fall short:
Shorter minimum lengths (10 or 12) or much higher thresholds (10 or 25 attempts) give attackers too many chances.
An indefinite lockout (duration 0) increases denial-of-service risk and help-desk burden.
Lower thresholds combined with shorter passwords or shorter lockout durations still allow faster online guessing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Group Policy and how does it help manage user accounts?
Open an interactive chat with Bash
What is a brute-force attack and why are longer passwords effective against it?
Open an interactive chat with Bash
Why is a 30-minute lockout duration ideal and how does it prevent excessive help-desk work?