Introducing Netwrix Auditor 9.9 – Don't Let Attackers Sneak Around in Your IT Kingdom
Create an account lockout policy GPO and edit it at “Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy” using the following parameters:
To investigate account lockouts, you need to capture logs that will help you to trace their source. Take the following steps:
An account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period. This policy helps you to prevent attackers from guessing users' passwords, reducing the chance of successful attacks on your network. When the policy is set, each failed domain logon attempt is recorded on the primary domain controller (PDC). When the threshold is reached, the PDC locks the account and prevents it from successfully logging on. When the password is reset by an administrator or after the AD account lockout duration time period you specify, the user can successfully log in again, for example, to Windows 7.
Automatically locking out accounts after several unsuccessful logon attempts is a common practice, since failed logon attempts can be a sign of an intruder or malware trying to get into your IT system. Before unlocking an account, it’s wise to find out why incorrect passwords were repeatedly provided; otherwise, you increase the risk of unauthorized access to your sensitive data.
The first step in the troubleshooting process is identifying the source of the authentication failures that caused the account lockout. There are several account lockout management tools designed to assist with this process.
Since the PDC emulator is responsible for processing the account lockout, this should be the first DC that you check in the troubleshooting process. If you are running Windows Server 2008 R2 or later, you should enable user account management auditing in the Advanced Audit Policy configuration. Then determine which of the following account lockout policy modifications have already been made in your environment and reconfigure them according to this account lockout best practice white paper.
Since account lockout events are written to the Windows security event log, you should filter for eventID 4740. Review the events to locate the affected account. The event details will contain information about the computer where the account lockout occurred. The same can be done with Windows 7 account lockout software.
Then go to the target account lockout Windows 7 or other machine and check its security, application and system logs for anomalies. If the target machine is an Exchange server, check its IIS logs for an external IP address that is causing a lockout. If RDP ports are open to the internet, block them, and then check again for future account lockouts.
