Lock out accounts after too many bad password attempts.
What it actually means
Limit unsuccessful logon attempts to slow down password-guessing and brute-force attacks. Set an account-lockout threshold and lockout duration across your systems — workstations, servers, VPN, and cloud identity.
Pass or fail — an assessor needs a "yes" to each
- Is an account-lockout threshold enforced after a defined number of failed attempts?
- Does it apply across systems, including remote access and cloud identity?
What to have ready
- Lockout policy configuration (GPO / Entra ID / etc.)
- Settings showing the threshold and duration
Where teams trip up
- No lockout on cloud or VPN logins
- A threshold set so high it's meaningless
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →