Active Directory Account Lockout: Best Practices
Windows account lockout policies are useful when you want to limit the attempts made by people who try to access your network by guessing passwords.
The policies are also good for enforcing strong password guidelines. When an account lockout policy is in place, it limits the number of times a person can consecutively make login attempts within a set period.
However, to reduce the frequent calls to the customer desk office, you need a lockout policy with increased account lockout duration, decreased lockout threshold, and increased reset lockout counter.
Robust Windows account lockout policies are defined by three independent policies:
- Reset account lockout policy
- Account lockout duration
- Account lockout threshold
Generally, the account lockout policy is configured in the Group Policy Management Console.
Here is the path to the console:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
This article reviews some of the best practices that can be used to disable a user account if a wrong password is issued within a specified period.
Here are some of the best practices for Active Directory account lockout, as used in a typical Windows environment.
1. Create an Account Lockout Policy
You need to create a lockout policy GPO that can be edited through the following path:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
For example, the default parameters for account lockout duration can be:
- 1440 minutes for lockout duration;
- 10 invalid logins for account threshold;
- 0 minutes for reset account counter to ensure the account does not unlock itself.
Once the account is locked, the administrator should determine the lockout period before intervening.
Any settings between 1 and 99,999 minutes will automatically unlock the account. The policy must be set to be equal to or greater than reset account lockout counter.
The value for account threshold is the number of attempts an account can sustain when a wrong password is used.
The reset counter prompts Windows to look for consecutive failed attempts, and counterchecks if it needs the reset account lockout after the threshold is met.
2. Review Account Lockouts
Account lockout investigations will be successful only through captured logs that can be used to trace where the breach is coming from.
The administrator can take the following steps:
- enable auditing of login events;
- enable the logging of Netlogon events;
- Kerberos auditing should also be logged.
After looking at the data coming from the enabled features above, the administrator should analyze security event log files and net login files to find out the origin of the lockouts, and why it is taking place.
Once they have identified the machine with login errors, its event logs can be analyzed to determine the cause.
3. Use Account Lockout and Management Tools
Some Microsoft and third-party tools can be used to investigate account lockouts to help determine the cause. These tools send an alert in real time; thus, giving the help desk an easy time when asked to resolve them.
a. Netwrix Account Lockout Examiner
This tool helps the system administrator to know of an account lockout. It is a freeware that helps to identify the root cause of persistent lockouts.
System administrators can access the troublesome accounts from the console. This account tool and examiner reduces the strain on the service desk who are alerted even before the user makes the call for help.
A working Netwrix Account Lockout Examiner is enough evidence that the Active Directory Account Lockout policy complies with set standards.
Netwrix Account Lockout is a tool Administrators can use to identify malicious attacks from viruses leading to multiple lockouts.
b. The AD Lockouts and Bad Password Detection
The tool is used to track the origin of lockouts in the Active Directory due to bad password attempts. The utility is useful in large organizations running multiple domains.
The system administrator can use this tool to:
- search the domain for bad password attempts against a particular account(s);
- analyze any events related to failed login attempts on each domain controller by tracing the possible origin of the lockout.
Furthermore, the event logs from every machine in the network can be used to determine if the following common causes of account lockout are present:
- mapped drives with open permissions;
- old and possibly running Login and RDP sessions;
- tasks and services running on old credentials.
c. Microsoft Account Lockout Status Tools
This account lockout tool is available from Microsoft and can be downloaded to increase the functionality of the Active Directory.
Microsoft recommends using this tool alongside the Account Passwords and Policies white paper.
The primary functions of this tool are:
- helps in isolating and troubleshooting locked accounts by changing user password on the domain controller; it automatically adds property pages to the user account in the Active Directory Users and computer’s management console;
- on the client side, the tool determines what processes or applications are sending the wrong signals or credentials;
- you can use the tool to display account names and age of respective passwords;
- it can be used as a startup script by allowing Kerberos to run on clients using Windows 2000 and later;
- it collects events from event logs of all machines to a central location;
- the tool also identifies all domain controllers involved in a lockout by way of gathering all logs; the output is generated and saved as a .CSV file whose content can be sorted if needed;
- the lockout tool can be used to extract and display specific entries from the Netlogon log files.
Please Note: Microsoft account lockout status tools should not be used on a server hosting network application and services as it may prevent some critical services from loading.
4. Know The Causes of Account Lockouts
Knowing the reasons that cause Active Directory accounts to be locked out can assist you in establishing robust security policies.
Here are some reasons that may cause account lockouts:
- when the port 3389 used by the RDP is open, and brute force applied;
- replication in the Active Directory;
- programs running with cached user credentials;
- service accounts with expired or changed passwords;
- low password threshold settings;
- shared drive mappings;
- disconnected terminal sessions;
- mobile access to the exchange server via IIS;
- user logging on multiple computers;
- saved account credentials with redundant passwords and usernames.
Conclusion
An account lockout policy is usually placed to disable users with bad passwords from accessing the system.
This policy is enforced after several attempts have been made within a specified period. Using such a policy, and with the help of third-party tools and utilities, can prevent malicious intrusions and reduce successful attacks on a network.
The user can access the affected account after the system administrator has reset the password or after the specified lockout period has lapsed.
Protect yourself and discover all permissions owners on your Windows fileservers!
Pass your next security audit without worrying about security leaks!
Get your free trial of the easiest and fastest NTFS Permission Reporter now!
Leave a Reply
Want to join the discussion?Feel free to contribute!