An organization wants to make it much harder for attackers to guess users' passwords by repeatedly submitting logon attempts over the network. Which of the following security controls, when properly configured, directly limits the number of invalid logon attempts and therefore mitigates online brute-force password attacks?
Disable all unused switch ports on the network edge.
Place user devices in separate VLANs for network segmentation.
Configure an account lockout policy that locks the account after a defined number of failed logon attempts.
Implement network address translation (NAT) on the perimeter firewall.
An account lockout policy sets a maximum number of consecutive failed logon attempts for a user account. Once the threshold is reached, the account is locked for a defined period or until an administrator unlocks it. By preventing unlimited guesses, the policy sharply reduces the feasibility of automated brute-force attacks. Disabling unused switch ports, implementing NAT, and creating VLAN segments are valuable controls for network hygiene and segmentation, but they do not limit the number of authentication attempts against an account and therefore do not mitigate brute-force password guessing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What constitutes a brute force attack?
Open an interactive chat with Bash
How does an account lockout policy work in practice?
Open an interactive chat with Bash
What are other methods to complement account lockout policies?