Account Lockout Policy & Monitoring
-
Tuesday, December 25, 2012 10:54 AM
Hi,
There is a customer who is requesting to disable the Account Lockout Policy on GPO based on the situation.
There are around 1000 users and 20% are mobile users who are always roaming around and using multiple devices such as iPad, iPhone, Android Device, etc...
There is a GPO for Password Expiry and Account Lockout so whenever their password expires their accounts keep getting locked out unless they update the password on all of the devices which they are using to connect to domain services which is causing inconvenience to everyone.
One of the Microsoft Partner suggested the following.
1 - Disable the Policy for Account Lockouts so there shouldn't be any policy to lock out accounts if there are invalid logon attempts.
(The consultant also mentioned a reason for this option he says if someone attempts DHA Attack / tries invalid logon attempts using a script or so it will lock out all the accounts on AD thus causing loss of productivity)
2 - Implement a monitoring / alerting solution to alert on multiple invalid logon attempts within the specified time range.
I wonder if this is the best practice recommended by experts and also which tool to use for alerting on invalid logon attempts anything from Microsoft line of products, please suggest.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
All Replies
-
Tuesday, December 25, 2012 11:51 AM
It's a reasonable proposition IF you have a domain at 2008 functional level and thus can implement Fine-grained password policies (http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx). That means you can have a stronger policy for administrative/privileged accounts, and another for regular, unprivileged accounts. Together with active monitoring of failed logons I'd say it's fairly safe.
Without FGPP I would not recommend this.
To collect audit data you can use Ops Manager with ACS (http://technet.microsoft.com/en-us/library/hh212908.aspx), but I have not used ACS myself.
There are two hard things in computer science: cache invalidation, naming things, and off-by-one errors
- Edited by Anders Runesson Tuesday, December 25, 2012 11:55 AM Added OpsMgr link
-
Tuesday, December 25, 2012 12:29 PM
Hi Anders,
We already have FGPP for Admin Accounts and we also use ACS but i don't think SCOM ACS can do correlation of events and generate an alerts.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
Thursday, December 27, 2012 2:40 AMModerator
Hi Maqsood,
Thank you for clarifying the issue for us.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Regards
KevinIf you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
-
Friday, December 28, 2012 6:10 AM
Hi,
As the credential is stored on user side, when username/password is passed, DC does authentication. To completely resolving the issue, you need to contact the APP vendor and the actions need to be taken on mobile side. For example, Exchange on Ipad, a new password is being used, but the old pwd is kept retrying, you need to configure the stored credential.
Disabling account lockout policy and using GPP for these mobile users is a workaround, but the risk is, when an account is known to others, any attack like dictionary attacks will easily guess a pwd.Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Saturday, December 29, 2012 2:59 PM
In case you decide to take a look at 3rd party tools, you can try these solutions from NetWrix - www.netwrix.com (full disclosure: I work for them).
1) NetWrix Password Manager. It allows users to resolve account lockouts in a self-service fashion and reset their passwords.
2) NetWrix Logon Reporter. Provides tracking of invalid logon attempts.
In both cases you can download a freeware edition, as well as a free trial.
There is also another product for resolving account lockouts - Account Lockout Examiner- but this one has only a free trial, no freeware.
- Edited by Vyacheslav (NetWrix) Saturday, December 29, 2012 3:00 PM
-
Sunday, December 30, 2012 9:41 AM
Hi Brian,
I agree with you there is a risk in disabling the Account Lockout Policy and i don't know if we can fix the issue on Mobile devices about cached credentials.
If we take the risk and disable the Policy is there any Microsoft Product which can monitor the account lockouts and alert based on certain criteria out of the box such as SCOM ACS.
Please suggest.
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
Wednesday, January 02, 2013 2:18 AM
Hi Maqsood,
SCOM ACS collects all the auditing events, you could review them from it. Without SCOM, you could also review these events from Security Log.
Auditing in Group Policy does this kind of things. You could trace the source by enabling Account Management audting and Logon auditing to find out which account is lockedout and why the account is locked.
eg:644
A user account was auto locked.
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Thanks, BrianPlease remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Proposed As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, January 07, 2013 1:37 AM
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Wednesday, January 09, 2013 1:45 AM
.png)
