By ThreatListPro Security Team · Published February 27, 2026 · Last verified: February 28, 2026

If you are an IT administrator dealing with a wave of account lockouts that started suddenly and will not stop, there is a very good chance a VPN brute force campaign is the cause. This is the single most common symptom that drives people to search for a solution, and it is the problem that ThreatListPro was built to solve.

This article explains exactly why brute force attacks cause lockouts, why the obvious fixes create new problems, and the fastest way to stop lockouts without weakening your security posture.

The Account Lockout Problem

Here is the scenario that plays out at thousands of organizations every week:

  1. An automated bot discovers your VPN portal (GlobalProtect, SSL-VPN, AnyConnect, etc.) via port scanning.
  2. The bot begins trying username and password combinations. It has a list of usernames—likely scraped from LinkedIn, harvested from email addresses, or obtained from a previous breach.
  3. For each username, the bot tries 5, 10, or 20 passwords in rapid succession.
  4. Your VPN portal authenticates against Active Directory. Each failed attempt increments the badPwdCount attribute on the user’s AD object.
  5. Once the badPwdCount reaches your lockout threshold (commonly 3 to 5 attempts), Active Directory locks the account.
  6. The legitimate user—who is sitting at their desk and has done nothing wrong—suddenly cannot log in to anything: VPN, email, file shares, internal applications. Everything tied to Active Directory is locked.
  7. The user calls the helpdesk. The helpdesk unlocks the account. An hour later, the bot comes back and locks it again.
The cruel irony: The lockout policy exists to protect users from unauthorized access. But during a brute force campaign, it becomes a denial-of-service weapon that attackers wield against your own workforce. The attacker does not need to guess the correct password—they just need to trigger enough failed attempts to lock the account.

How the Attack Flow Causes Lockouts

Without protection, every brute force attempt reaches your authentication server:

Attacker Bot
-->
Firewall (allows)
-->
VPN Portal
-->
Active Directory
-->
Account Locked

Without an IP blocklist, every attack attempt reaches Active Directory

With ThreatListPro blocking known attacker IPs at the firewall:

Attacker Bot
-->
Firewall (BLOCKS)
-->
VPN Portal
-->
Active Directory
-->
Account Safe

With ThreatListPro, attacks are blocked before reaching the VPN portal

Why the Obvious Fixes Create New Problems

When lockouts start, the pressure to “just make it stop” leads to quick fixes that undermine security:

Disabling the lockout policy

Removing or relaxing the AD lockout threshold stops the lockouts but also removes the protection against actual password guessing. If an attacker eventually tries the correct password, there is nothing to stop them. This trades a visible operational problem for an invisible security risk.

Increasing the lockout threshold

Raising the threshold from 5 to 20 or 50 attempts delays lockouts but does not prevent them. A persistent bot will reach any threshold. Meanwhile, you have given real attackers more guesses before lockout kicks in.

Shortening the lockout duration

Reducing the lockout window from 30 minutes to 5 minutes means users self-unlock faster, but during an active campaign, they just get locked out again immediately. It also means real brute force attempts face less resistance.

None of these approaches address the root cause: malicious traffic reaching your authentication infrastructure in the first place.

Solutions Ranked by Effectiveness and Speed

1

IP Blocklist (EDL)

Deploy: 5 min | Lockout reduction: 80-90%

Block known attacker IPs at the firewall before they reach the VPN portal. ThreatListPro provides a curated list as a ready-made EDL. Paste the URL, create a deny rule, commit. Lockouts drop immediately because attack traffic never reaches Active Directory.

2

Geo-Blocking

Deploy: 1-2 hrs | Lockout reduction: 50-70%

Block VPN access from countries where you have no users. Eliminates a large percentage of bot traffic, but attackers using domestic VPS infrastructure will still get through. Combine with an IP blocklist for better coverage.

3

Rate Limiting

Deploy: 2-4 hrs | Lockout reduction: 30-50%

Limit connection attempts per source IP on your firewall. Slows attackers down but does not eliminate lockouts entirely since even rate-limited attempts still trigger failed login counts. Requires careful threshold tuning.

4

MFA Enforcement

Deploy: 4-12 wks | Lockout reduction: 0%

Essential for long-term security but does not prevent lockouts. The password check happens before the MFA challenge, so failed password attempts still increment the lockout counter. Deploy MFA for security, but use a blocklist for lockout prevention.

Why ThreatListPro Stops Lockouts Immediately

ThreatListPro works because it addresses the problem at the right layer. Instead of trying to make your authentication system more tolerant of attacks (which weakens security), it prevents attack traffic from reaching your authentication system at all.

When you add the ThreatListPro blocklist as an EDL on your firewall and create a deny rule for traffic to your VPN portal, every connection from a known attacker IP is refused at the TCP level. The VPN portal never receives the login attempt, Active Directory never processes a failed authentication, and the user’s badPwdCount never increments.

Immediate results: Most customers report lockouts dropping by 80 to 90 percent within hours of deployment. The remaining lockouts are typically from new attacker IPs that have not yet been added to the blocklist—these are captured by ThreatListPro’s honeypot network and added in the next weekly update.

Frequently Asked Questions

Why do VPN brute force attacks cause account lockouts?

Because the VPN portal authenticates against Active Directory, which has a lockout policy. Each failed password attempt from the attacker increments the failed login counter on the AD account. Once the threshold is reached (commonly 3 to 5 attempts), the account locks—even though the legitimate user did nothing wrong.

Should I disable my account lockout policy to prevent VPN lockouts?

No. Disabling the lockout policy removes a critical security control. Instead, block attacker IPs at the firewall using an IP blocklist like ThreatListPro. This stops brute force traffic before it reaches the authentication system, so lockouts are never triggered and your lockout policy remains intact for its intended purpose.

How many accounts typically get locked out during a VPN brute force attack?

Organizations report 10 to 50+ accounts locked out per day during sustained campaigns. Some have experienced 100+ lockouts in a single day during peak attacks, disrupting a significant portion of the workforce and overwhelming helpdesk teams.

How quickly can I stop VPN-caused account lockouts?

With ThreatListPro, you can stop the majority of lockouts within 5 minutes. Add the blocklist URL as an EDL on your firewall, create a deny rule, and commit. Known attacker IPs are immediately blocked before they can trigger failed logins or lockouts. Most customers see an 80-90% drop in lockouts within hours.

Does MFA prevent VPN brute force account lockouts?

No. MFA prevents attackers from completing authentication even if they guess the correct password, but it does not prevent lockouts. The password check happens before the MFA challenge, so every failed password attempt still increments the AD lockout counter. MFA is essential for security, but an IP blocklist is needed to prevent the lockouts themselves.