An organization wants to make it much harder for attackers to guess users' passwords by repeatedly submitting logon attempts over the network. Which of the following security controls, when properly configured, directly limits the number of invalid logon attempts and therefore mitigates online brute-force password attacks?
Implement network address translation (NAT) on the perimeter firewall.
Place user devices in separate VLANs for network segmentation.
Disable all unused switch ports on the network edge.
Configure an account lockout policy that locks the account after a defined number of failed logon attempts.
An account lockout policy sets a maximum number of consecutive failed logon attempts for a user account. Once the threshold is reached, the account is locked for a defined period or until an administrator unlocks it. By preventing unlimited guesses, the policy sharply reduces the feasibility of automated brute-force attacks. Disabling unused switch ports, implementing NAT, and creating VLAN segments are valuable controls for network hygiene and segmentation, but they do not limit the number of authentication attempts against an account and therefore do not mitigate brute-force password guessing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does an account lockout policy mitigate brute-force attacks?
Open an interactive chat with Bash
What is the difference between an account lockout policy and CAPTCHA?
Open an interactive chat with Bash
What are potential risks of implementing strict account lockout policies?