In order to prevent a RAS client from launching an attack with dozens of password attempts, a Windows 2000 RAS server can be configured to lockout the client.

The RAS client lockout is separate from the account lockout in Active Directory.

You can configure RAS account lockout with both a number of failed attempts and an interval that must pass before the lockout timer is reset.

If you are using Windows Authentication on the RAS server, you configure these settings in the registry of the RAS server. If you are using RADIUS, configure the registry on the the IAS server.

To configure the registry:

1. Use Regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout.

2. Double-click the MaxDenials Value Name, a REG_DWORD data type, and set the data value to the number of failed attempts before the account is locked out, using the Decimal Radix. A data value of 0, the default, disables account lock out.

3. Double-click the ResetTime (mins) Value Name, a REG_DWORD data type, and set the number of minutes that must elapse before the account is unlocked, using the Decimal Radix. The default is 2,880 minutes, which is two days.

NOTE: To manually unlock an account, use Regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout and delete the <Domain Name>:<User Name> Value Name.