• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Don’t let hackers lock out user AD accounts | ADFS Smart Lockout to the Rescue!

Don’t let hackers lock out user AD accounts | ADFS Smart Lockout to the Rescue!

August 12, 2020 - by Zsolt Agoston - last edited on August 5, 2021

When a company is exposed on the internet, meaning it has portals, services listening for user connections (like public websites, VPN servers, etc) it is inevitable that hackers or malicious entities discover it and try to penetrate the organization. Most of the cases this attempts mean brute-forcing passwords for known or guessed user accounts. When using Microsoft Exchange we open up so many ways for connections: Exchange SMTP for mail flow, Exchange OWA for web-base access, ActiveSync for mobile devices, Outlook Anywhere, MAPI over HTTP listener for Outlook clients, etc

If ADFS is used for authentication in the organization, user authentication attempts are challenged on-prem against the local AD. It's very convenient because of single sign-on (user uses one password once, then can access multiple resources throughout the organization) but this also means if an attacker tries the wrong passwords too many times, the AD system will lock out even our legit users from the system. It depends on our account lockout policy, usually after 5 failed attempts the user accounts are locked by the system and they might be unlocked after a certain period of time.

AD lockout settings can be configured in this location when opening gpmc.msc:
Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Account Locout Policy

To prevent that to happen, ADFS external lockout has been developed. It handles authentication requests, blocks users when getting suspicious activities from certain IP addresses, while allowing valid users continue to use their accounts.

1. Set Up ADFS External Lockout

# Enable Verbose ADFS auditing
PS C:\> Set-AdfsProperties -Auditlevel verbose
PS C:\> Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information
PS C:\> Restart-Service -Name adfssrv

# Enable Verbose ADFS auditing
PS C:\> auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
The command was successfully executed.

# Configure permissions for the ADFS artifact store 
PS C:\> $cr = Get-Credential -Message "Admin Creds Here" -UserName alwayshotcafe\za
PS C:\> Update-AdfsArtifactDatabasePermission -Credential $cr

# Enable ADFS Smart Lockout
PS C:\> Set-AdfsProperties -ExtranetLockoutMode ADFSSmartLockoutEnforce

Confirm
This command will set the extranet lockout mode to AdfsSmartLockout.  Verify all nodes have up to date patches and appropriate database permissions have been assigned by running Update-AdfsArtifactDatabasePermission.  See https://go.microsoft.com/fwlink/?linkid=864556 for more information.
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.
PS C:\> Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (New-TimeSpan -Minutes 30) -ExtranetLockoutRequirePDC:$false

# Don't forget to restart the adfs service!
PS C:\> Restart-Service -Name adfssrv

2. Verify ADFS Lockout is On

PS C:\> Get-AdfsProperties | Select Extra*


ExtranetLockoutThreshold  : 15
ExtranetLockoutMode       : ADFSSmartLockoutEnforce
ExtranetLockoutEnabled    : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : False



PS C:\>

3. Check User Lockout Status

Take a look on ADFS account activity when Alice has 15 failed logon attempts and is locked out. Note that ADFS collects info of the familiar and unknown locations. If someone tries to get in from a remote location and locks out the account, it only happens with unfamiliar IP addresses. This gives Alice more chance to log in as she is still able to log in from a trusted IP.

PS C:\> Get-AdfsAccountActivity alice@alwayshotcafe.com


Identifier             : ALWAYSHOTCAFE\Alice
BadPwdCountFamiliar    : 15
BadPwdCountUnknown     : 0
LastFailedAuthFamiliar : 8/12/2020 4:43:17 PM
LastFailedAuthUnknown  : 1/1/0001 12:00:00 AM
FamiliarLockout        : True
UnknownLockout         : False
FamiliarIps            : {82.34.148.38}



PS C:\>

4. Unlock ADFS Locked Account

When accounts are locked, we can unlock them by location: familiar or unknown. Note, that only one location can be used at a time, if both needs unlocking, use the cmdlet with each locations separately.

# Unlock Familiar locations
PS C:\> Reset-AdfsAccountLockout alice@alwayshotcafe.com -Location familiar

# Unlock Unknown locations
PS C:\> Reset-AdfsAccountLockout alice@alwayshotcafe.com -Location unknown

# Check if account is unlocked
PS C:\> Get-AdfsAccountActivity alice@alwayshotcafe.com


Identifier             : ALWAYSHOTCAFE\Alice
BadPwdCountFamiliar    : 0
BadPwdCountUnknown     : 0
LastFailedAuthFamiliar : 8/12/2020 4:43:17 PM
LastFailedAuthUnknown  : 1/1/0001 12:00:00 AM
FamiliarLockout        : False
UnknownLockout         : False
FamiliarIps            : {82.34.148.38}



PS C:\>

Reader Interactions

Comments

  1. Anthony says

    May 21, 2021 at 14:01

    I get an error saying Update-AdfsArtifactDatabase is not a valid Powershell command. Any hints on how to get that working or what permission I need to give the service account on that Database if I go the manual route instead? Thanks.

    Reply
    • Zsolt Agoston says

      May 23, 2021 at 11:04

      Hi, if the Update-AdfsArtifactDatabasePermission cmdlet is not available on your ADFS server, please make sure the operating system is fully updated. The ADFS PowerShell module should contain the cmdlet, it is imported automatically when the command is run.

      So Windows button/Settings/Update and go for it :)!

      Reply

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. Set Up ADFS External Lockout
  • 2. Verify ADFS Lockout is On
  • 3. Check User Lockout Status
  • 4. Unlock ADFS Locked Account

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}