Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we look at a new feature of Active Directory Federation Services (AD FS) since Windows Server 2016.

Why look at Extranet Smart Account Lockout

Denial of Service attacks on identity and access systems are common place. When you think you’re done when you’ve covered all the bases with account lock-out in your on-premises Active Directory Domain Services (AD DS) environment, you’re wrong. Hybrid Identity requires more effort.

Attackers may cause Denial of Service through password spraying (trying the same password on all user accounts) and/or brute-force attacks (trying multiple passwords for one user account). As accounts get locked, end users experience errors when they themselves log on and disruption in their logged-on applications.

In contrast to the Extranet Lockout feature in Active Directory Federation Services (AD FS) on Windows Server 2012 R2, Extranet Smart Account Lockout has a couple of tricks up its sleeve: It will now count authentication attempts per IP address. IP addresses where good authentications originate from are whitelisted. IP addresses where bad attempts originate are blacklisted. This way, people in your organization are hindered less with lockouts in the case of a Denial of Service (DoS) attack or even a distributed Denial of Service (dDoS) attack. Of course, if your people fat-finger their passwords themselves, they’ll still be locked-out.

Getting ready

To configure Smart Account Lockout, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates. Several fixes have been made available to the Smart Account Lockout feature, since its general availability in the form of the June 2018 Cumulative update for Windows Server 2016 (KB4284880).

Your organization must have Active Directory Federation Services (AD FS) deployed with Web Application Proxies or another MS-ADFSPIP-enabled front-end server (like an F5 appliance). Account Lockout is only triggered for authentications that AD FS considers originating from the extranet, thus via MS-ADFSPIP-enabled front-end servers.

Your AD FS Farm must be configured with auditing enabled.

Additionally, Extranet Smart Lockout requires that Windows Remote management be enabled on every AD FS server.

Privilege requirements

Make sure to sign in with an account that has privileges to manage the AD FS Farm.

In case of Windows Internal Database (WID) as the storage method for the AD FS Configuration database, sign in with an account that has local administrator privilege on the primary AD FS Server.

In case of SQL Server as the storage method for the AD FS Configuration database, make sure the account you use is also a local administrator on the SQL Server.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications.

How to do it

Coming up with the right values

Make sure Extranet Smart Account Lockout has lower values for the lock-out threshold and observation time window, than Active Directory lockout. This way, AD FS would cause an account lock-out earlier than AD. Then, end users might always revert to inside authentication when the outside authentication is locked out.

Use the following command-line in a Command Prompt (cmd.exe) window to get the account lockout values for the currently logged in account:

net.exe accounts

If your organization uses fine-grained password solutions, look at these, by running the following lines of Windows PowerShell:

Get-ADFineGrainedPasswordPolicy -Filter *

For the purpose of this blogpost, we’ll use a lock-out threshold of 10 attempts during an observation window of 5 minutes and a lock-out period of 5 minutes for outside authentication and 5 attempts within 5 minutes for indefinite lock-out for inside authentication (after which the account will need to be unlocked by service desk personnel).

For AD FS Farms using SQL Server

Extranet smart lockout requires the AD FS service account to have permissions to create a new table in the AD FS artifact database. This database is in use when the AD FS farm uses SQL Server instead of the Windows Internal Database. Run the following lines of Windows PowerShell:

$cred = Get-Credential

Update-AdfsArtifactDatabasePermission -Credential $cred

Enabling Extranet Smart Account Lockout

To enable Extranet Smart Account Lockout, run the following lines of Windows PowerShell to configure the AD FS Farm:

Set-AdfsProperties -EnableExtranetLockout $true `
-ExtranetLockoutThreshold 15 -ExtranetObservationWindow `
(new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

Afterward, restart the AD FS service on all AD FS servers that are a member of the AD FS Farm. You can use the following line of Windows PowerShell for this:

Restart-Service adfssrv

Rol-back

To disable Extranet Smart Account Lockout, run the following line of Windows PowerShell:

Set-AdfsProperties -EnableExtranetLockout $false

Afterward, restart the AD FS service on all AD FS servers that are a member of the AD FS Farm. You can use the following line of Windows PowerShell for this:

Restart-Service adfssrv

Concluding

Extranet Smart Account Lockout is one of the best new features in Active Directory Federation Services (AD FS) in Windows Server 2016. Use it to combat Denial of Service (DoS) attacks and distributed Denial of Service (dDoS) attacks.

Further reading

AD FS Extranet Lockout and Extranet Smart Lockout
Configuring Account Lockout throughout a Hybrid Identity Environment