Netwrix Auditor – Account Lockout Best Practices
Best Practices for Setting up an Account Lockout Policy
Create an account lockout policy GPO and edit it at “Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy” using the following parameters:
- Account lockout duration: 1440 minutes
- Account lockout threshold: 10 invalid logon attempts
- Reset account lockout after: 0 minutes [account does not unlock automatically]
Investigating All Account Lockouts
To investigate account lockouts, you need to capture logs that will help you to trace their source. Take the following steps:
- Enable auditing of logon events. Please refer to the Logon Auditing Quick Reference Guide.
- Enable Netlogon logging. Please refer to the Account Lockout Troubleshooting Quick Reference Guide.
- Enable Kerberos logging.
- Analyze data from the Security event log files and the Netlogon log files to help you determine where the lockouts are occurring and why.
- Analyze the event logs on the computer that is generating the account lockouts to determine the cause.
Common Causes of Account Lockouts
- Brute-force attack (check whether RDP port 3389 is open to the internet)
- Active Directory replication
- Programs with cached user credentials
- Service accounts with recently changed or expired passwords
- Bad password threshold is set too low
- User logging on to multiple computers
- Stored user names and passwords contain redundant credentials
- Scheduled tasks
- Shared drive mappings
- Disconnected Terminal Server sessions
- Mobile devices accessing exchange server via IIS
Account Lockout and Management Tools that Help with Investigations
- Netwrix Account Lockout Examiner
- Microsoft account lockout status tools
- AD lockouts and bad password detection utility
Active Directory Account Lockout Policy overview
An account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period. This policy helps you to prevent attackers from guessing users' passwords, reducing the chance of successful attacks on your network. When the policy is set, each failed domain logon attempt is recorded on the primary domain controller (PDC). When the threshold is reached, the PDC locks the account and prevents it from successfully logging on. When the password is reset by an administrator or after the AD account lockout duration time period you specify, the user can successfully log in again, for example, to Windows 7.
Investigating Account Lockouts
Automatically locking out accounts after several unsuccessful logon attempts is a common practice, since failed logon attempts can be a sign of an intruder or malware trying to get into your IT system. Before unlocking an account, it’s wise to find out why incorrect passwords were repeatedly provided; otherwise, you increase the risk of unauthorized access to your sensitive data.
The first step in the troubleshooting process is identifying the source of the authentication failures that caused the account lockout. There are several account lockout management tools designed to assist with this process.
Since the PDC emulator is responsible for processing the account lockout, this should be the first DC that you check in the troubleshooting process. If you are running Windows Server 2008 R2 or later, you should enable user account management auditing in the Advanced Audit Policy configuration. Then determine which of the following account lockout policy modifications have already been made in your environment and reconfigure them according to this account lockout best practice white paper.
Since account lockout events are written to the Windows security event log, you should filter for eventID 4740. Review the events to locate the affected account. The event details will contain information about the computer where the account lockout occurred. The same can be done with Windows 7 account lockout software.
Then go to the target account lockout Windows 7 or other machine and check its security, application and system logs for anomalies. If the target machine is an Exchange server, check its IIS logs for an external IP address that is causing a lockout. If RDP ports are open to the internet, block them, and then check again for future account lockouts.
