I'm wondering what you all are using for your account lockout policy if you are PCI compliant or something similar. Our auditors are requesting account lock out after 3 attempts for a minimum duration of 30 minutes. Our concern is what happens if we are brute forced and all of our users are locked out. We already have very strict firewall policies in place and our network is segmented as well but you never know. Do any of you use any tools that might help mitigate damage that can occur with a lockout policy in place?
Thank you, Eric
