Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features Mike Re

1
Microsoft Windows 2000 Server and Windows Server
2003 Password and Account Lockout FeaturesMike
Resnick and Joe VasilDirectory Services
SupportMicrosoft Corporation
2
Agenda

• Understand the security threats being faced and
  the costs
• Password and account lockout policy settings
• Security, password, and account lockout
  recommendations
• Authentication behavior
• New features in Service Pack 4 and Microsoft
  Windows Server 2003
• Procedures to troubleshoot account lockout events
• Tools to use

3
Passwords Are the Keys to the Kingdom Threats

• Dictionary attacks
• Brute force attacks
• Users lack of secure practices
• Administrators lack of secure practices

4
Passwords Are the Keys to the Kingdom Risk
Assessment

• Password length and possible permutations
• 6 characters 689,869,781,056
• 7 characters 64,847,759,419,264
• 8 characters 6,095,689,385,410,816
• 9 characters 572,994,802,228,616,704
• 10 characters 53,861,511,409,489,970,176
• Given a 60 day password expiry date and a
  password of 7 characters, it would require about
  7,407,407 logon attempts per second to find the
  password
• Play the lottery, the odds are much better

5
Password Settings Password Filter

• Used to enforce password complexity in the domain
• Password filtering is built into Windows 2000
  Server and Windows Server 2003
• By default it is disabled, but can be enabled
  through GPO
• Microsoft Windows NT 4.0 required Passfilt.dll
  and a registry change
• 161990, How to Enable Strong Password
  Functionality in Windows NT

6
Password Settings Other Password Settings

• Password history
• Minimum length
• Maximum password age
• Minimum password age

7
Account Lockout Settings LockoutThreshold

• Account lockout threshold (lockoutthreshold)

8
Account Lockout Settings Other Account Settings

• Reset account lockout counter after
  (ObservationWindow)
• Account lockout duration (Lockoutduration)

9
Correct Setting for Invalid Logon Attempts

• The goal is to balance the need to prevent
  account cracking versus the need to allow room
  for users mistyping passwords and typical
  authentication processes that may send
  credentials more than once per logon attempt
• Microsoft Exchange client
• Windows 2000 DS/DFS client
• Kerberos failure may fall back to NTLM and
  register two failed logon attempts

10
Recommended Account Lockout and Password Policy
Settings
11
Protect Yourself from External Account Lockout
Denial of Service Attacks

• Complex passwords
• Rename the administrator account
• Protect your environment with firewalls
• Prevent anonymous access
• Protect site-to-site traffic with a VPN tunnel
• Protect authentication and NetBIOS ports from
  Internet attack with IPSEC
• Protect authentication and NetBIOS ports from
  internal attack with IPSEC to trusted machines
• Update server

12
Authentication Behavioral Changes

• Password verification
• Urgent replication triggers
• Windows 2000 service packs and hotfixes
• Forthcoming SP4 and Microsoft .NET updates

13
Password Verification

• Non-PDC emulator fails with any of the following,
  and the request is then changed to the PDC
  emulator
• STATUS_WRONG_PASSWORD STATUS_PASSWORD_EXPIRED
  STATUS_PASSWORD_MUST_CHANGE STATUS_ACCOUNT_LOCKED_
  OUT
• If the PDC emulator rejects the bad password,
  then both the authenticating domain controller
  (DC) and the PDC emulator will increment the
  BadPWD for that users object

14
NTLM Domain Authentication Chaining
DOMAIN Controller
PDC Emulator
File Server
CHAINED NTLM
NTML
NTLM
CLIENT
15
Kerberos Authentication Chaining
File Server
Domain Controller
PDC Emulator
CHAINED KERBEROS
KERBEROS
Client
16
Urgent Replication Triggers

• Urgent replication is triggered by
• Unlocking the account
• Manually setting password expiration on a user
  account
• Resetting the account password
• Attributes that affect the user logon process
• LockoutTime
• PwdLastSet

17
Kerberos Negative Caching with SP2

• Reduce the number of logon requests handled on
  the PDC
• When the account lockout threshold is reached on
  an authenticating DC, the account is locked out
  on that DC, but not on the PDC
• With Windows 2000 SP1 and SP3, bad passwords are
  chained to the PDC emulator
• Badpwdcount on Authenticating DC and PDC is
  incremented for each bad password

18
Forthcoming SP4 and .NET Updates

• RunAs Security Audit rogue client
  application/user traceability
• Auditing improvements determine which process on
  a computer is locking out an account
• Not in SP4, but SP 5 should have this feature
• Acctinfo.dll add ability to change password for
  the user account and computer account on the DC
  in the users computers site

19
Forthcoming SP4 and .NET Updates (2)

• On-demand replication replicate single user
  object from PDC immediately after the retried
  authentication attempt on the PDC succeeds
• N-2 last two passwords will be denied access,
  but the DCs will not increment their BadPwdCount
  for that user
• New DSclient included with Windows Server 2003
  for Windows 98 and Windows 95 clients
• 323466, Availability of the Directory Services
  Client Update for Windows 95

20
Common Causes of Account Lockout

• Bad password threshold set too low
• Multiple interactive logons
• OWA, Outlook, and Exchange
• IIS
• Using authenticated Web pages
• Service accounts
• Disconnected Terminal Server Sessions
• Scheduled Tasks
• Statically configured with wrong credentials
• Persistent drives mapped with wrong credentials

21
Troubleshooting Account Lockouts

• Apply service pack and hotfix updates
• Enable auditing
• Enable Netlogon logging
• Enable Kerberos logging (may be optional)
• Gather and analyze log files

22
1. Windows 2000 Service Packs and Hotfixes

• Account lockout related issues resolved in SP3
• It is highly recommended that Service Pack 3 be
  installed on all Windows 2000 computers (DCs,
  member servers, workstations) involved in account
  lockouts
• If you cannot install SP3, install the fix in
  article 327784, Windows 2000 Server May Hang
  After a Local Backup Completes

23
2. Auditing

• If service packs and updates do not resolve
  account lockouts, then audit logs are required
• Enable auditing at the domain level for
• Account Logon Events Failure
• Account Management Success
• Logon Events Failure

24
3. Netlogon Logging

• Enable Netlogon logging and use it in conjunction
  with auditing, even in a Windows 2000 domain with
  Windows 2000 clients
• Enable Netlogon logging on the PDC and replica
  DCs involved in user authentication
• Use the Set L command or LockoutStatus.exe to
  find the authenticating DC involved in the users
  authentication
• Enable Netlogon logging on all DCs for smaller
  enterprises (less than 10 DCs)
• To enable Netlogon logging, type nltest
  /dbflag0x2000ffff

25
4. Kerberos Logging

• Client-side logging
• Can be enabled using computer startup script
• Useful only if an actual Kerberos problem exists
• To enable, see 262177, HOW TO Enable Kerberos
  Event Logging

26
5. Gathering and Analyzing Log Files

• Use EventCombMT.exe to collect the security and
  system event logs (.evt format) from the PDC,
  authenticating DC, and client computers that user
  logs onto
• Run Lockoutstatus.exe against locked out user
  account to find which DCs are involved in the
  lockout
• Gather Netlogon.log files from the PDC and other
  DCs involved in account lockout
• Use Nlparse.exe to parse Netlogon logs for
  account lockout related events0xC000006A and
  0xC0000234

27
Netlogon Parsing

• Output from three computers, the PDC DC002, the
  authenticating DC DC003, and the member server
  MEMSERVER01

28
From PDC Emulator (DC002) Netlogon Log
11-Mar 142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142831 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC0000234
29
From Authentication DC DC003
11-Mar 142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via MEMSERVER01)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via
MEMSERVER01) 0xC000006A 11-Mar 142830
Transitive Network logon Tailspintoys\User1
Machine-006 (via MEMSERVER01) 0xC000006A 11-Mar
142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via MEMSERVER01)
0xC000006A 11-Mar 142831 Transitive Network
logon Tailspintoys\User1 Machine-006 (via
MEMSERVER01) 0xC000006A 11-Mar 142831
Transitive Network logon Tailspintoys\User1
Machine-006 (via MEMSERVER01) 0xC0000234
30
From Member Server MEMSERVER01
11-Mar 142831 Network logon Tailspintoys\User1
Machine-006 0xC000006A 11-Mar 142831 Network
logon Tailspintoys\User1 Machine-006 0xC000006A 11
-Mar 142832 Network logon Tailspintoys\User1 Mac
hine-006 0xC000006A 11-Mar 142832 Network
logon Tailspintoys\User1 Machine-006 0xC000006A 11
-Mar 142832 Network logon Tailspintoys\User1 Mac
hine-006 0xC000006A 11-Mar 142832 Network
logon Tailspintoys\User1 Machine-006 0xC0000234
31
Reading Domain Controller Audit Logs

• Event 675 Pre-authentication failures
• Shows IP address of the client computer from
  which the wrong credentials were sent
• Event 644 User Account Locked Out account
  management event
• Appears only if account management success
  auditing is enabled

32
Reading Domain Controller Audit Logs (2)
Example of event 675 in security event log from
PDC emulator Event Type Failure Audit Event
Source Security Event Category Account Logon
Event ID 675 Date 12/5/2001
Time 54726 PM User NT AUTHORITY\SYSTEM
Computer MYCOMPUTER Description
Pre-authentication failed User
Name Myuser User ID S-1-5-21-4235101579-17
59906425-16398432-1114 Service
Name krbtgt/TAILSPINTOYS.COM
Pre-Authentication Type 0x2 Failure
Code 0x18 Client Address 169.16.1.85
33
Reading Domain Controller Audit Logs (3)
In this example Failure Code 0x18
Pre-authentication information was invalid or
wrong username or password. Example of event 644
( the user account actually being locked on DC)
Event Type Success Audit Event
Source Security Event Category Account
Management Event ID 644 Date 12/5/2001
Time 54726 PM User Everyone
Computer MYcomputer Description User Account
Locked Out Target Account Name Myuser
Target Account ID S-1-5-21-4235101579-17599064
25-16398432-1114 Caller Machine
Name Mycomputer Caller User Name Mycomputer
Caller Domain TAILSPINTOYS Caller Logon
ID (0x0,0x3E7)
34
Reading Client-side Audit Logs

• Event 529 Unknown user name and password
• Look for patterns
• Look for logon type
• Look for logon process

35
Example of Event 529
Event Type Failure Audit Event
Source Security Event Category Logon/Logoff
Event ID 529 Date 12/21/2001 Time 20520
PM User NT AUTHORITY\SYSTEM Computer SALTSHAKER
Description Logon Failure Reason Unknown
user name or bad password User Name user66
Domain TAILSPINTOYS Logon Type 2 Logon
Process User32 Authentication
Package Negotiate Workstation Name SALTSHAKER
36
Reading Client-side Audit Logs (2)

• Event 531 Account currently disabled
• Shows account locked

37
Event 531 of the Account Being Disabled
Event Type Failure Audit Event
Source Security Event Category Logon/Logoff
Event ID 531 Date 12/21/2001 Time 20521
PM User NT AUTHORITY\SYSTEM Computer SALTSHAKER
Description Logon Failure Reason Account
currently disabled User Name user66
Domain TAILSPINTOYS Logon Type 2 Logon
Process User32 Authentication
Package Negotiate
38
Logon Types
39
Logon Process
40
Kerberos Events

• Event ID 4
• Only appears on computers that have Kerberos
  logging enabled
• 262177, HOW TO Enable Kerberos Event Logging
• PreAuthentication failures
• Account getting locked

41
Kerberos Event of User Account Getting Locked Out
Event Type Error Event Source Kerberos Event
Category None Event ID 4 Date 12/21/2001
Time 20521 PM User N/A Computer SALTSHAK
ER Description The function LogonUser received
a Kerberos Error Message on logon session
TAILSPINTOYS \user66 Client Time Server Time
19521.0000 12/21/2001 (null) Error Code 0x12
KDC_ERR_CLIENT_REVOKED Client Realm Client
Name Server Realm TAILSPINTOYS .COM Server
Name krbtgt/TAILSPINTOYS .COM Target Name
krbtgt/TAILSPINTOYS _at_TAILSPINTOYS Error Text
File Line Error Data is in record data.
42
Questions to Keep in Mind

• Do the logon attempts occur seconds apart or are
  there many 0xC000006A events within the same
  second?
• What computers are the 0xC000006A events coming
  from?
• What client computers are appearing in the
  Netlogon logs?
• What server are the clients getting bad passwords
  against?
• What accounts are getting 0xC000006A?
• What pattern is getting 0xC000006A and lockouts?

43
Account Lockout Tools

• LockoutStatus.exe
• ALockout.dll
• ALOinfo.exe
• Acctinfo.dll
• NLParse
• EventCombMT
• FindStr
• Replmon Repadmin
• Network Monitor

44
LockoutStatus.exe

• Displays multiple facets of a locked out account
• Assists in finding the computers involved in the
  authentication chain

45
LockoutStatus.exe (2)
46
Alockout.dll

• The tool attaches itself to various APIs that
  make calls to LogonUser and then dumps
  information about what is making those calls into
  a text file named Alockout.txt in winnt\debug

47
Aloinfo.exe

• Aloinfo.exe can be used to dump all user account
  names along with their password age
• This will allow proactive setup with the
  Alockout.dll logging

48
Acctinfo.dll

• AcctinfoFO.dll is used to add new property pages
  to user objects in Active Directory users and
  computers to help isolate or troubleshoot account
  lockouts and to change a users password on a DC
  in that users site

49
Acctinfo.dll (2)
50
Acctinfo.dll (3)
51
Acctinfo.dll (4)
52
EventCombMT

• A multithreaded tool used to gather specific
  events from event logs of several different
  computers from one central location
• Includes a built-in search for an account lockout
  that is already preconfigured to include events
  529, 644, 675, 676, and 681

53
EventCombMT (2)
54
Nlparse

• Used to parse Netlogon logs for specific Netlogon
  return status codes
• The output dumps to a CSV file that can be opened
  with Excel and sorted further if you need to
• The return codes specific to account lockouts are
  0xC000006A and 0xC0000234

55
Nlparse (2)
56
Findstr

• A command-line tool built into Windows 2000 that
  can be used to parse several Netlogon.log files
  at once
• Put all Netlogon.log files in one directory and
  run the following command
• FindStr /I User1 netlogon.log gtc\user1.txt

57
Replmon and Repadmin

• If Active Directory replication has not already
  been verified, Repadmin /showreps and Replmon can
  be used to verify proper Active Directory
  replication is occuring

58
Network Monitor Trace

• If the account lockout is process or application
  related and an account is already locked out on a
  specific client computer, gather network traces
  of all traffic to and from that client computer
  while the account is still locked out
• The application or process will probably continue
  sending bad credentials while trying to access
  resources on the network
• If you have found the specific computer, but the
  user account is not yet locked out, then keep
  running Network Monitor until that users next
  lockout occurs, and then compare the new lockout
  event in Netlogon logs or security logs with the
  data captured in the trace by comparing time
  stamps of events and frames

59
Additional Resources

• Security
• 320053, HOW TO Rename the Administrator and
  Guest Account in Windows 2000
• 246261, How to Use the RestrictAnonymous
  Registry Value in Windows 2000
• Directory Replication over Firewalls
• 813878, How to Block Specific Network Protocols
  and Ports by Using IPSec

60
Additional Resources (2)

• Forceunlocklogon
• 329885, Cannot Unlock Workstation with
  ForceUnlockLogon and Expired Password
• 281250, Information About Unlocking a
  Workstation
• 188700, Screensaver Password Works Even if
  Account Is Locked Out
• Password filter
• 274613, Passfilt.dll Does Not Enforce Minimum
  Password Length of 6 Characters

61
Additional Resources (3)

• Authentication
• 219898, How the Bad Password Count Is
  Incremented in Windows NT
• 232690, Urgent Replication Triggers in Windows
  2000
• 306131, Kerberos Negative Caching Causes Logon
  to Not Be Retried on PDC
• 272065, Bad Password Attempts Are Repeatedly
  Forwarded from Domain Controllers
• Logging information
• 262177, HOW TO Enable Kerberos Event Logging

62
Additional Resources (4)

• Known issues for Windows 2000 Server and client
• 264678, Increased Account Lockout Frequency in
  Windows 2000
• 287639, Client Cannot Log On Even If the Account
  Is Unlocked on the PDC
• 278299, Reset Locked-Out Account Is Locked Out
  with One Bad Password
• 292573, ADSI SetPassword Call Does Not Always
  Set the Password on Target
• 263821, Account Lockout Because BadPwdCount Not
  Reset to 0
• 294811, Password Expiration Message After You
  Change Your Password
• 306133, Account Unlocks and Manual Password
  Expirations Not Replicated
• 303290, Drive Mapping for Home Folder Overwrites
  Local Drive after SP2

63
Additional Resources (5)

• Known issues with other applications
• 163576, XGEN Changing the RPC Binding Order
• 173658, XWEB Mailbox Access via OWA Depends on
  IIS Token Cache
• 328867, XADM MSN Messenger May Cause Domain
  Account Lockout After a Password
  Change           

64
Additional Resources (6)

• Call PSS for the following hotfix
• New DS client for Windows 98 and Windows 95
• 323466, INFO Availability of the Directory
  Services Client Update for Windows 95 and Windows
  98

65

• Thank you for joining todays Microsoft Support
• WebCast.
• For information about all upcoming Support
  WebCasts,
• and access to the archived content (streaming
  media
• files, PowerPoint slides, and transcripts),
  visit
• http//support.microsoft.com/webcasts/
• Your feedback is sincerely appreciated. Please
  send any
• comments or suggestions about the Support
• WebCasts to supweb_at_microsoft.com.