To prevent brute-force login attacks over your domain user accounts, you can specify how many failed login attempts are permitted for each user before they are challenged with a CAPTCHA and before their login is prevented for the specified duration.
To access these options, select Administrate > Security and chose the Organizational Unit or Smart Team that you wish to set the access time for. Then, select the User Login Controls tab and scroll down to the Brute-Force Attack Prevention section.
Brute-Force Attack Prevention policies can be:
- Organizational Units - Set for the root OU and inherited, or explicitly set for each OU.
- Smart Teams - Set to Enable to apply the policy to all users in the Smart Team, or to Disable to force the user's policy to be set by the next Smart Team (set to Enable) they are part of, or the Organizational Unit if the user isn't part of any enabled Smart Team.
You can set the following options:
- Number of failed login attempts before CAPTCHA prompt - Set the number of times the user can attempt to login before they are challenged with a CAPTCHA process, ranging from Disabled (never challenged) to 20 failed login attempts.
- Number of failed login attempts before login is temporarily prevented - Set the number of times the user can fail a login attempt in a row before they are temporarily locked out for a configurable amount of time (as set below), from Disabled (never locked out) to 20 failed login attempts.
- When the user is locked out, they will not be able to login at all, even with the correct credentials.
- Number of hours to prevent login after too many failed login attempts - Set the number of hours that a user will be locked out for after they have attempted a set number of failed attempts in a row, ranging from Disabled (never locked out) to 48 hours.