Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features Mike Re - PowerPoint PPT Presentation

Loading...

PPT – Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features Mike Re PowerPoint presentation | free to view - id: 13c02a-YTA0M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features Mike Re

Description:

Microsoft Windows 2000 Server and Windows Server 2003: ... Brute force attacks. Users' lack of secure practices. Administrators' lack of secure practices ... – PowerPoint PPT presentation

Number of Views:387
Avg rating:3.0/5.0
Slides: 66
Provided by: MicrosoftC
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features Mike Re


1
Microsoft Windows 2000 Server and Windows Server
2003 Password and Account Lockout FeaturesMike
Resnick and Joe VasilDirectory Services
SupportMicrosoft Corporation
2
Agenda
  • Understand the security threats being faced and
    the costs
  • Password and account lockout policy settings
  • Security, password, and account lockout
    recommendations
  • Authentication behavior
  • New features in Service Pack 4 and Microsoft
    Windows Server 2003
  • Procedures to troubleshoot account lockout events
  • Tools to use

3
Passwords Are the Keys to the Kingdom Threats
  • Dictionary attacks
  • Brute force attacks
  • Users lack of secure practices
  • Administrators lack of secure practices

4
Passwords Are the Keys to the Kingdom Risk
Assessment
  • Password length and possible permutations
  • 6 characters 689,869,781,056
  • 7 characters 64,847,759,419,264
  • 8 characters 6,095,689,385,410,816
  • 9 characters 572,994,802,228,616,704
  • 10 characters 53,861,511,409,489,970,176
  • Given a 60 day password expiry date and a
    password of 7 characters, it would require about
    7,407,407 logon attempts per second to find the
    password
  • Play the lottery, the odds are much better

5
Password Settings Password Filter
  • Used to enforce password complexity in the domain
  • Password filtering is built into Windows 2000
    Server and Windows Server 2003
  • By default it is disabled, but can be enabled
    through GPO
  • Microsoft Windows NT 4.0 required Passfilt.dll
    and a registry change
  • 161990, How to Enable Strong Password
    Functionality in Windows NT

6
Password Settings Other Password Settings
  • Password history
  • Minimum length
  • Maximum password age
  • Minimum password age

7
Account Lockout Settings LockoutThreshold
  • Account lockout threshold (lockoutthreshold)

8
Account Lockout Settings Other Account Settings
  • Reset account lockout counter after
    (ObservationWindow)
  • Account lockout duration (Lockoutduration)

9
Correct Setting for Invalid Logon Attempts
  • The goal is to balance the need to prevent
    account cracking versus the need to allow room
    for users mistyping passwords and typical
    authentication processes that may send
    credentials more than once per logon attempt
  • Microsoft Exchange client
  • Windows 2000 DS/DFS client
  • Kerberos failure may fall back to NTLM and
    register two failed logon attempts

10
Recommended Account Lockout and Password Policy
Settings
11
Protect Yourself from External Account Lockout
Denial of Service Attacks
  • Complex passwords
  • Rename the administrator account
  • Protect your environment with firewalls
  • Prevent anonymous access
  • Protect site-to-site traffic with a VPN tunnel
  • Protect authentication and NetBIOS ports from
    Internet attack with IPSEC
  • Protect authentication and NetBIOS ports from
    internal attack with IPSEC to trusted machines
  • Update server

12
Authentication Behavioral Changes
  • Password verification
  • Urgent replication triggers
  • Windows 2000 service packs and hotfixes
  • Forthcoming SP4 and Microsoft .NET updates

13
Password Verification
  • Non-PDC emulator fails with any of the following,
    and the request is then changed to the PDC
    emulator
  • STATUS_WRONG_PASSWORD STATUS_PASSWORD_EXPIRED
    STATUS_PASSWORD_MUST_CHANGE STATUS_ACCOUNT_LOCKED_
    OUT
  • If the PDC emulator rejects the bad password,
    then both the authenticating domain controller
    (DC) and the PDC emulator will increment the
    BadPWD for that users object

14
NTLM Domain Authentication Chaining
DOMAIN Controller
PDC Emulator
File Server
CHAINED NTLM
NTML
NTLM
CLIENT
15
Kerberos Authentication Chaining
File Server
Domain Controller
PDC Emulator
CHAINED KERBEROS
KERBEROS
Client
16
Urgent Replication Triggers
  • Urgent replication is triggered by
  • Unlocking the account
  • Manually setting password expiration on a user
    account
  • Resetting the account password
  • Attributes that affect the user logon process
  • LockoutTime
  • PwdLastSet

17
Kerberos Negative Caching with SP2
  • Reduce the number of logon requests handled on
    the PDC
  • When the account lockout threshold is reached on
    an authenticating DC, the account is locked out
    on that DC, but not on the PDC
  • With Windows 2000 SP1 and SP3, bad passwords are
    chained to the PDC emulator
  • Badpwdcount on Authenticating DC and PDC is
    incremented for each bad password

18
Forthcoming SP4 and .NET Updates
  • RunAs Security Audit rogue client
    application/user traceability
  • Auditing improvements determine which process on
    a computer is locking out an account
  • Not in SP4, but SP 5 should have this feature
  • Acctinfo.dll add ability to change password for
    the user account and computer account on the DC
    in the users computers site

19
Forthcoming SP4 and .NET Updates (2)
  • On-demand replication replicate single user
    object from PDC immediately after the retried
    authentication attempt on the PDC succeeds
  • N-2 last two passwords will be denied access,
    but the DCs will not increment their BadPwdCount
    for that user
  • New DSclient included with Windows Server 2003
    for Windows 98 and Windows 95 clients
  • 323466, Availability of the Directory Services
    Client Update for Windows 95

20
Common Causes of Account Lockout
  • Bad password threshold set too low
  • Multiple interactive logons
  • OWA, Outlook, and Exchange
  • IIS
  • Using authenticated Web pages
  • Service accounts
  • Disconnected Terminal Server Sessions
  • Scheduled Tasks
  • Statically configured with wrong credentials
  • Persistent drives mapped with wrong credentials

21
Troubleshooting Account Lockouts
  • Apply service pack and hotfix updates
  • Enable auditing
  • Enable Netlogon logging
  • Enable Kerberos logging (may be optional)
  • Gather and analyze log files

22
1. Windows 2000 Service Packs and Hotfixes
  • Account lockout related issues resolved in SP3
  • It is highly recommended that Service Pack 3 be
    installed on all Windows 2000 computers (DCs,
    member servers, workstations) involved in account
    lockouts
  • If you cannot install SP3, install the fix in
    article 327784, Windows 2000 Server May Hang
    After a Local Backup Completes

23
2. Auditing
  • If service packs and updates do not resolve
    account lockouts, then audit logs are required
  • Enable auditing at the domain level for
  • Account Logon Events Failure
  • Account Management Success
  • Logon Events Failure

24
3. Netlogon Logging
  • Enable Netlogon logging and use it in conjunction
    with auditing, even in a Windows 2000 domain with
    Windows 2000 clients
  • Enable Netlogon logging on the PDC and replica
    DCs involved in user authentication
  • Use the Set L command or LockoutStatus.exe to
    find the authenticating DC involved in the users
    authentication
  • Enable Netlogon logging on all DCs for smaller
    enterprises (less than 10 DCs)
  • To enable Netlogon logging, type nltest
    /dbflag0x2000ffff

25
4. Kerberos Logging
  • Client-side logging
  • Can be enabled using computer startup script
  • Useful only if an actual Kerberos problem exists
  • To enable, see 262177, HOW TO Enable Kerberos
    Event Logging

26
5. Gathering and Analyzing Log Files
  • Use EventCombMT.exe to collect the security and
    system event logs (.evt format) from the PDC,
    authenticating DC, and client computers that user
    logs onto
  • Run Lockoutstatus.exe against locked out user
    account to find which DCs are involved in the
    lockout
  • Gather Netlogon.log files from the PDC and other
    DCs involved in account lockout
  • Use Nlparse.exe to parse Netlogon logs for
    account lockout related events0xC000006A and
    0xC0000234

27
Netlogon Parsing
  • Output from three computers, the PDC DC002, the
    authenticating DC DC003, and the member server
    MEMSERVER01

28
From PDC Emulator (DC002) Netlogon Log
11-Mar 142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142831 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC0000234
29
From Authentication DC DC003
11-Mar 142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via MEMSERVER01)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via
MEMSERVER01) 0xC000006A 11-Mar 142830
Transitive Network logon Tailspintoys\User1
Machine-006 (via MEMSERVER01) 0xC000006A 11-Mar
142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via MEMSERVER01)
0xC000006A 11-Mar 142831 Transitive Network
logon Tailspintoys\User1 Machine-006 (via
MEMSERVER01) 0xC000006A 11-Mar 142831
Transitive Network logon Tailspintoys\User1
Machine-006 (via MEMSERVER01) 0xC0000234
30
From Member Server MEMSERVER01
11-Mar 142831 Network logon Tailspintoys\User1
Machine-006 0xC000006A 11-Mar 142831 Network
logon Tailspintoys\User1 Machine-006 0xC000006A 11
-Mar 142832 Network logon Tailspintoys\User1 Mac
hine-006 0xC000006A 11-Mar 142832 Network
logon Tailspintoys\User1 Machine-006 0xC000006A 11
-Mar 142832 Network logon Tailspintoys\User1 Mac
hine-006 0xC000006A 11-Mar 142832 Network
logon Tailspintoys\User1 Machine-006 0xC0000234
31
Reading Domain Controller Audit Logs
  • Event 675 Pre-authentication failures
  • Shows IP address of the client computer from
    which the wrong credentials were sent
  • Event 644 User Account Locked Out account
    management event
  • Appears only if account management success
    auditing is enabled

32
Reading Domain Controller Audit Logs (2)
Example of event 675 in security event log from
PDC emulator Event Type Failure Audit Event
Source Security Event Category Account Logon
Event ID 675 Date 12/5/2001
Time 54726 PM User NT AUTHORITY\SYSTEM
Computer MYCOMPUTER Description
Pre-authentication failed User
Name Myuser User ID S-1-5-21-4235101579-17
59906425-16398432-1114 Service
Name krbtgt/TAILSPINTOYS.COM
Pre-Authentication Type 0x2 Failure
Code 0x18 Client Address 169.16.1.85
33
Reading Domain Controller Audit Logs (3)
In this example Failure Code 0x18
Pre-authentication information was invalid or
wrong username or password. Example of event 644
( the user account actually being locked on DC)
Event Type Success Audit Event
Source Security Event Category Account
Management Event ID 644 Date 12/5/2001
Time 54726 PM User Everyone
Computer MYcomputer Description User Account
Locked Out Target Account Name Myuser
Target Account ID S-1-5-21-4235101579-17599064
25-16398432-1114 Caller Machine
Name Mycomputer Caller User Name Mycomputer
Caller Domain TAILSPINTOYS Caller Logon
ID (0x0,0x3E7)
34
Reading Client-side Audit Logs
  • Event 529 Unknown user name and password
  • Look for patterns
  • Look for logon type
  • Look for logon process

35
Example of Event 529
Event Type Failure Audit Event
Source Security Event Category Logon/Logoff
Event ID 529 Date 12/21/2001 Time 20520
PM User NT AUTHORITY\SYSTEM Computer SALTSHAKER
Description Logon Failure Reason Unknown
user name or bad password User Name user66
Domain TAILSPINTOYS Logon Type 2 Logon
Process User32 Authentication
Package Negotiate Workstation Name SALTSHAKER
36
Reading Client-side Audit Logs (2)
  • Event 531 Account currently disabled
  • Shows account locked

37
Event 531 of the Account Being Disabled
Event Type Failure Audit Event
Source Security Event Category Logon/Logoff
Event ID 531 Date 12/21/2001 Time 20521
PM User NT AUTHORITY\SYSTEM Computer SALTSHAKER
Description Logon Failure Reason Account
currently disabled User Name user66
Domain TAILSPINTOYS Logon Type 2 Logon
Process User32 Authentication
Package Negotiate
38
Logon Types
39
Logon Process
40
Kerberos Events
  • Event ID 4
  • Only appears on computers that have Kerberos
    logging enabled
  • 262177, HOW TO Enable Kerberos Event Logging
  • PreAuthentication failures
  • Account getting locked

41
Kerberos Event of User Account Getting Locked Out
Event Type Error Event Source Kerberos Event
Category None Event ID 4 Date 12/21/2001
Time 20521 PM User N/A Computer SALTSHAK
ER Description The function LogonUser received
a Kerberos Error Message on logon session
TAILSPINTOYS \user66 Client Time Server Time
19521.0000 12/21/2001 (null) Error Code 0x12
KDC_ERR_CLIENT_REVOKED Client Realm Client
Name Server Realm TAILSPINTOYS .COM Server
Name krbtgt/TAILSPINTOYS .COM Target Name
krbtgt/TAILSPINTOYS _at_TAILSPINTOYS Error Text
File Line Error Data is in record data.
42
Questions to Keep in Mind
  • Do the logon attempts occur seconds apart or are
    there many 0xC000006A events within the same
    second?
  • What computers are the 0xC000006A events coming
    from?
  • What client computers are appearing in the
    Netlogon logs?
  • What server are the clients getting bad passwords
    against?
  • What accounts are getting 0xC000006A?
  • What pattern is getting 0xC000006A and lockouts?

43
Account Lockout Tools
  • LockoutStatus.exe
  • ALockout.dll
  • ALOinfo.exe
  • Acctinfo.dll
  • NLParse
  • EventCombMT
  • FindStr
  • Replmon Repadmin
  • Network Monitor

44
LockoutStatus.exe
  • Displays multiple facets of a locked out account
  • Assists in finding the computers involved in the
    authentication chain

45
LockoutStatus.exe (2)
46
Alockout.dll
  • The tool attaches itself to various APIs that
    make calls to LogonUser and then dumps
    information about what is making those calls into
    a text file named Alockout.txt in winnt\debug

47
Aloinfo.exe
  • Aloinfo.exe can be used to dump all user account
    names along with their password age
  • This will allow proactive setup with the
    Alockout.dll logging

48
Acctinfo.dll
  • AcctinfoFO.dll is used to add new property pages
    to user objects in Active Directory users and
    computers to help isolate or troubleshoot account
    lockouts and to change a users password on a DC
    in that users site

49
Acctinfo.dll (2)
50
Acctinfo.dll (3)
51
Acctinfo.dll (4)
52
EventCombMT
  • A multithreaded tool used to gather specific
    events from event logs of several different
    computers from one central location
  • Includes a built-in search for an account lockout
    that is already preconfigured to include events
    529, 644, 675, 676, and 681

53
EventCombMT (2)
54
Nlparse
  • Used to parse Netlogon logs for specific Netlogon
    return status codes
  • The output dumps to a CSV file that can be opened
    with Excel and sorted further if you need to
  • The return codes specific to account lockouts are
    0xC000006A and 0xC0000234

55
Nlparse (2)
56
Findstr
  • A command-line tool built into Windows 2000 that
    can be used to parse several Netlogon.log files
    at once
  • Put all Netlogon.log files in one directory and
    run the following command
  • FindStr /I User1 netlogon.log gtc\user1.txt

57
Replmon and Repadmin
  • If Active Directory replication has not already
    been verified, Repadmin /showreps and Replmon can
    be used to verify proper Active Directory
    replication is occuring

58
Network Monitor Trace
  • If the account lockout is process or application
    related and an account is already locked out on a
    specific client computer, gather network traces
    of all traffic to and from that client computer
    while the account is still locked out
  • The application or process will probably continue
    sending bad credentials while trying to access
    resources on the network
  • If you have found the specific computer, but the
    user account is not yet locked out, then keep
    running Network Monitor until that users next
    lockout occurs, and then compare the new lockout
    event in Netlogon logs or security logs with the
    data captured in the trace by comparing time
    stamps of events and frames

59
Additional Resources
  • Security
  • 320053, HOW TO Rename the Administrator and
    Guest Account in Windows 2000
  • 246261, How to Use the RestrictAnonymous
    Registry Value in Windows 2000
  • Directory Replication over Firewalls
  • 813878, How to Block Specific Network Protocols
    and Ports by Using IPSec

60
Additional Resources (2)
  • Forceunlocklogon
  • 329885, Cannot Unlock Workstation with
    ForceUnlockLogon and Expired Password
  • 281250, Information About Unlocking a
    Workstation
  • 188700, Screensaver Password Works Even if
    Account Is Locked Out
  • Password filter
  • 274613, Passfilt.dll Does Not Enforce Minimum
    Password Length of 6 Characters

61
Additional Resources (3)
  • Authentication
  • 219898, How the Bad Password Count Is
    Incremented in Windows NT
  • 232690, Urgent Replication Triggers in Windows
    2000
  • 306131, Kerberos Negative Caching Causes Logon
    to Not Be Retried on PDC
  • 272065, Bad Password Attempts Are Repeatedly
    Forwarded from Domain Controllers
  • Logging information
  • 262177, HOW TO Enable Kerberos Event Logging

62
Additional Resources (4)
  • Known issues for Windows 2000 Server and client
  • 264678, Increased Account Lockout Frequency in
    Windows 2000
  • 287639, Client Cannot Log On Even If the Account
    Is Unlocked on the PDC
  • 278299, Reset Locked-Out Account Is Locked Out
    with One Bad Password
  • 292573, ADSI SetPassword Call Does Not Always
    Set the Password on Target
  • 263821, Account Lockout Because BadPwdCount Not
    Reset to 0
  • 294811, Password Expiration Message After You
    Change Your Password
  • 306133, Account Unlocks and Manual Password
    Expirations Not Replicated
  • 303290, Drive Mapping for Home Folder Overwrites
    Local Drive after SP2

63
Additional Resources (5)
  • Known issues with other applications
  • 163576, XGEN Changing the RPC Binding Order
  • 173658, XWEB Mailbox Access via OWA Depends on
    IIS Token Cache
  • 328867, XADM MSN Messenger May Cause Domain
    Account Lockout After a Password
    Change           

64
Additional Resources (6)
  • Call PSS for the following hotfix
  • New DS client for Windows 98 and Windows 95
  • 323466, INFO Availability of the Directory
    Services Client Update for Windows 95 and Windows
    98

65
  • Thank you for joining todays Microsoft Support
  • WebCast.
  • For information about all upcoming Support
    WebCasts,
  • and access to the archived content (streaming
    media
  • files, PowerPoint slides, and transcripts),
    visit
  • http//support.microsoft.com/webcasts/
  • Your feedback is sincerely appreciated. Please
    send any
  • comments or suggestions about the Support
  • WebCasts to supweb_at_microsoft.com.
About PowerShow.com