On March 22, with its Windows Server 2016’s March 2018 Quality Update (KB4088889), Microsoft did not only address two issues in Active Directory Domain Services, but also introduced a new feature to Active Directory Federation Services (AD FS): Extranet Smart Lock-out.
This feature enhances the Extranet Lock-out feature that has been present in Active Directory Federation Services (AD FS) since Windows Server 2012 R2.
Let’s dive in!
About Extranet Lock-out
In AD FS on Windows Server 2012 R2, Microsoft introduced a security feature called Extranet Lockout. With this feature, AD FS will stop authenticating the malicious user account from outside for a period of time. This prevents your user accounts from being locked out in Active Directory. In addition to protecting your users from an AD account lockout, AD FS extranet lockout also protects against brute force password guessing attacks.
We recommend the following practices when your organization faces attackers and wants to leverage AD FS extranet lock-out:
- Deploy Web Application Proxies or other MS-ADFSPIP-connected devices, to make sure the AD FS Servers, acting as STSs, can distinguish extranet from intranet.
- Deploy the same version Web Application Proxies as the highest version of your AD FS Servers, acting as STSs; Deploy Windows Server 2012 R2-based Web Application Proxies when you only have Windows Server 2012 R2-based AD FS Servers. Deploy Windows Server 2016-based Web Application Proxies when you have one or more Windows Server 2016-based AD FS Servers.
- Configure AD FS Extranet Lock-out with slightly more strict settings, compared to the account lock-out policies defined in Active Directory Domain Services (AD DS). For instance, when your strictest account lock-out policy defines account lock-out after 5 attempts in 30 minutes, configure AD FS extranet lockout after 4 attempts in 30 minutes.
Extranet Smart Lock-out
The above recommended practices, now, need to be expanded with the following recommended practices:
- Deploy Windows Server 2016-based AD FS Servers and Web Application Proxies for additional security measures.
- When deploying Windows Server 2016-based AD FS Servers and Web Application Proxies, make sure the Windows Server version is version 14393.2155, or above.
This way, organization may leverage the functionality of AD FS Extranet Smart Lock-out instead of the previously available AD FS Extranet Lock-out functionality.
Extranet Smart Lock-out differs from Extranet Lock-out in a fundamental way. It enables AD FS to differentiate between sign-in attempts from a valid user and sign-in attempts from a malicious user. Its internal name (“Extranet Lockout with Familiar IPs” basically sets the right tone to explain what it does.
The below image provides an overview of Extranet Lock-out:
Authentication requests from the corporate user are accepted by the Web Application Proxy and passed to the AD FS Server on the internal network. The AD FS Server communicates with the Domain Controller to perform the authentication. When the credentials are correct, the authentication succeeds and the AD FS Server issues a claim token through the Web Application Proxy to the corporate user. When the credentials are incorrect, the account lockout policy in Active Directory Domain Services eventually kicks in (when configured).
However, a malicious user can try and guess passwords for the corporate user’s user account. Without Extranet Smart Lock-out, the attacker would lockout the AD FS authentication for the corporate user. After the time-out had passed, the corporate user could login, unless the attack was ongoing. This represents a denial of service (DoS) scenario.
Extranet Smart Lockout offers automatic whitelisting and blacklisting functionality of IP addresses used to authenticate from to Web Application Proxies and other MS-ADFSPIP-connected devices, like the F5 appliances:
After you apply the 2018-03 Cumulative update for Windows Server 2016 (KB4088889) and restart the server (or at least the AD FS service), your AD FS server will learn IP addresses for your users’ successful authentications and store them in the database. It will store a maximum of 20 external IP addresses per user account in the Artifact store.
This way, within the AD FS Farm, all servers learn the familiar IP addresses for your users’ locations. When users mistype their passwords in these locations, these authentication attempts are stored in the BadPwdCountFamiliar list. When authentication request originate from unfamiliar IP addresses and fail, they will be stored in the BadPwdCountUnknown list. All authentication requests count towards the Extranet Lockout threshold, but users may always authenticate when they authenticate from a familiar outside location (or from an inside location).
Another neat feature of AD FS Extranet Smart Lockout is that admins can blacklist certain IP addresses, effectively banning authentication from these IP addresses farm-wide. This is particularly useful when an attacker uses the same IP address(es) to try to brute-force user passwords. Admins can add up to 100 banned IP addresses.
The other way around also works. When you know the IP address of your friendly neighbor Starbucks store, where your users enjoy their morning coffee while using their favorite (federated) app, you can add this IP address as a familiar IP address, farm-wide.
For added security and end user convenience, enable Smart Account Lock-out for your Active Directory Federation Services (AD FS) farm.