Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

ID: M1036
Version: 1.0
Created: 11 June 2019
Last Modified: 21 October 2022

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1110 Brute Force

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

.001 Password Guessing

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

.003 Password Spraying

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

.004 Credential Stuffing

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

Enterprise T1621 Multi-Factor Authentication Request Generation

Enable account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

Enterprise T1078 Valid Accounts

Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

.004 Cloud Accounts

Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[1]

References