ACCOUNT LOCKOUT TOOLS SERVER 2012 WINDOWS
To mitigate this behavior, you can increase the " Account lockout threshold" on the DCs to a more bigger value.įor your enterprise a good value is 50, but it is also better to increase the " Account lockout duration" to 15 min or more.
This is due to the time necessary from the DCs in the FABRIKAM forest to send back the info ( badpwdcount) to the ADFS Servers in the CONTOSO forest, usually in milliseconds, but in those milliseconds, we can receive other authentication requests that will lock the accounts. So, we have verified that, during a brute force attack, if you have a low difference between the " ExtranetLockoutThreshold" and the " Account lockout threshold" on the Domain Controllers, you can have some accounts that will go in Locked-out.
Trick: count the number of 411 events on the ADFS infrastructure, for a specific user, if you want to verify that you received more authentication attempt than the " Account lockout threshold". In short: the authentication from the Contoso ADFS forest to the Fabrikam logon forest, sometime are directly done by the PDC, but sometime other DCs in the Fabrikam forest authenticate the User01, in this case the DC forward the Authentication to the PDC, because it is a badpwd logon attempt, this cause 1 more 4771 event. To understand why, you need to read " How the Domain Controllers Verify the Passwords ": NOTE: has you can see in the yellow part, we have exactly 6 events 411 for the ADFS Servers, but we have 8 events 4771 on the DCs, and the question is………. The last row indicated by the red rectangle, indicating the event 516 on the ADFS Server, show that the account User01 was locked out.The rows indicated by the yellow rectangles, we can see the events 411 on the ADFS Servers, and the events 4771 on the DCs of the Fabrikam Forests, all these events, show us that in the same second 12:04: 55, we have received 6 authentication requests for the User01 that have caused the account Lockout.
0 kommentar(er)
