Unfortunately, our user base forces us to maintain a fairly relaxed domain lockout policy: Five bad logons within 30 minutes locks the account for 30 minutes. Although we regularly check Security logs on our domain controllers (DCs) for failed logon attempts, we're still concerned about attackers trying to guess the logon credentials of RRAS dial-up users on our RRAS VPN server. Can we implement a stricter lockout policy for users that connect from outside our LAN?
Yes. In Windows NT 4.0, Microsoft added a separate Remote Access Account Lockout Manager (RAALM) to RRAS that lets you configure a different lockout policy for users who dial in or use VPN to connect to your network. RAALM is disabled by default, but you can enable and configure it by modifying the registry. Open a registry editor and navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout registry subkey. To enable RAALM, set the Max-Denials value, of type REG_DWORD, to 1 or higher to reflect how many consecutive failed logons must occur before RAALM locks out the account. Set ResetTime, of type REG_DWORD, to the number of minutes that must elapse before RAALM unlocks the account. ResetTime defaults to 2880 minutes (48 hours). To unlock an account before it reaches its automatic reset time, find the user under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name, where domain name:user name is the user's domain and username, and delete the registry subkey.
As long as your RAALM policy is stricter than your domain's account lockout policy (configured in GPOs linked to the root of the domain, such as the Default Domain Policy GPO), attacks from outside the LAN will usually cause a RAALM lockout before locking out the account within Active Directory (AD). Therefore, a user will still be able to log on at computers directly connected to the LAN, even if the account is locked out at the RRAS server.