Title: Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features Mike Re
1Microsoft Windows 2000 Server and Windows Server
2003 Password and Account Lockout FeaturesMike
Resnick and Joe VasilDirectory Services
SupportMicrosoft Corporation
2Agenda
- Understand the security threats being faced and
the costs - Password and account lockout policy settings
- Security, password, and account lockout
recommendations - Authentication behavior
- New features in Service Pack 4 and Microsoft
Windows Server 2003 - Procedures to troubleshoot account lockout events
- Tools to use
3Passwords Are the Keys to the Kingdom Threats
- Dictionary attacks
- Brute force attacks
- Users lack of secure practices
- Administrators lack of secure practices
4Passwords Are the Keys to the Kingdom Risk
Assessment
- Password length and possible permutations
- 6 characters 689,869,781,056
- 7 characters 64,847,759,419,264
- 8 characters 6,095,689,385,410,816
- 9 characters 572,994,802,228,616,704
- 10 characters 53,861,511,409,489,970,176
- Given a 60 day password expiry date and a
password of 7 characters, it would require about
7,407,407 logon attempts per second to find the
password - Play the lottery, the odds are much better
5Password Settings Password Filter
- Used to enforce password complexity in the domain
- Password filtering is built into Windows 2000
Server and Windows Server 2003 - By default it is disabled, but can be enabled
through GPO - Microsoft Windows NT 4.0 required Passfilt.dll
and a registry change - 161990, How to Enable Strong Password
Functionality in Windows NT
6Password Settings Other Password Settings
- Password history
- Minimum length
- Maximum password age
- Minimum password age
7Account Lockout Settings LockoutThreshold
- Account lockout threshold (lockoutthreshold)
8Account Lockout Settings Other Account Settings
- Reset account lockout counter after
(ObservationWindow) - Account lockout duration (Lockoutduration)
9Correct Setting for Invalid Logon Attempts
- The goal is to balance the need to prevent
account cracking versus the need to allow room
for users mistyping passwords and typical
authentication processes that may send
credentials more than once per logon attempt - Microsoft Exchange client
- Windows 2000 DS/DFS client
- Kerberos failure may fall back to NTLM and
register two failed logon attempts
10Recommended Account Lockout and Password Policy
Settings
11Protect Yourself from External Account Lockout
Denial of Service Attacks
- Complex passwords
- Rename the administrator account
- Protect your environment with firewalls
- Prevent anonymous access
- Protect site-to-site traffic with a VPN tunnel
- Protect authentication and NetBIOS ports from
Internet attack with IPSEC - Protect authentication and NetBIOS ports from
internal attack with IPSEC to trusted machines - Update server
12Authentication Behavioral Changes
- Password verification
- Urgent replication triggers
- Windows 2000 service packs and hotfixes
- Forthcoming SP4 and Microsoft .NET updates
13Password Verification
- Non-PDC emulator fails with any of the following,
and the request is then changed to the PDC
emulator - STATUS_WRONG_PASSWORD STATUS_PASSWORD_EXPIRED
STATUS_PASSWORD_MUST_CHANGE STATUS_ACCOUNT_LOCKED_
OUT - If the PDC emulator rejects the bad password,
then both the authenticating domain controller
(DC) and the PDC emulator will increment the
BadPWD for that users object
14NTLM Domain Authentication Chaining
DOMAIN Controller
PDC Emulator
File Server
CHAINED NTLM
NTML
NTLM
CLIENT
15Kerberos Authentication Chaining
File Server
Domain Controller
PDC Emulator
CHAINED KERBEROS
KERBEROS
Client
16Urgent Replication Triggers
- Urgent replication is triggered by
- Unlocking the account
- Manually setting password expiration on a user
account - Resetting the account password
- Attributes that affect the user logon process
- LockoutTime
- PwdLastSet
17Kerberos Negative Caching with SP2
- Reduce the number of logon requests handled on
the PDC - When the account lockout threshold is reached on
an authenticating DC, the account is locked out
on that DC, but not on the PDC - With Windows 2000 SP1 and SP3, bad passwords are
chained to the PDC emulator - Badpwdcount on Authenticating DC and PDC is
incremented for each bad password
18Forthcoming SP4 and .NET Updates
- RunAs Security Audit rogue client
application/user traceability - Auditing improvements determine which process on
a computer is locking out an account - Not in SP4, but SP 5 should have this feature
- Acctinfo.dll add ability to change password for
the user account and computer account on the DC
in the users computers site
19Forthcoming SP4 and .NET Updates (2)
- On-demand replication replicate single user
object from PDC immediately after the retried
authentication attempt on the PDC succeeds - N-2 last two passwords will be denied access,
but the DCs will not increment their BadPwdCount
for that user - New DSclient included with Windows Server 2003
for Windows 98 and Windows 95 clients - 323466, Availability of the Directory Services
Client Update for Windows 95
20Common Causes of Account Lockout
- Bad password threshold set too low
- Multiple interactive logons
- OWA, Outlook, and Exchange
- IIS
- Using authenticated Web pages
- Service accounts
- Disconnected Terminal Server Sessions
- Scheduled Tasks
- Statically configured with wrong credentials
- Persistent drives mapped with wrong credentials
21Troubleshooting Account Lockouts
- Apply service pack and hotfix updates
- Enable auditing
- Enable Netlogon logging
- Enable Kerberos logging (may be optional)
- Gather and analyze log files
221. Windows 2000 Service Packs and Hotfixes
- Account lockout related issues resolved in SP3
- It is highly recommended that Service Pack 3 be
installed on all Windows 2000 computers (DCs,
member servers, workstations) involved in account
lockouts - If you cannot install SP3, install the fix in
article 327784, Windows 2000 Server May Hang
After a Local Backup Completes
232. Auditing
- If service packs and updates do not resolve
account lockouts, then audit logs are required - Enable auditing at the domain level for
- Account Logon Events Failure
- Account Management Success
- Logon Events Failure
243. Netlogon Logging
- Enable Netlogon logging and use it in conjunction
with auditing, even in a Windows 2000 domain with
Windows 2000 clients - Enable Netlogon logging on the PDC and replica
DCs involved in user authentication - Use the Set L command or LockoutStatus.exe to
find the authenticating DC involved in the users
authentication - Enable Netlogon logging on all DCs for smaller
enterprises (less than 10 DCs) - To enable Netlogon logging, type nltest
/dbflag0x2000ffff
254. Kerberos Logging
- Client-side logging
- Can be enabled using computer startup script
- Useful only if an actual Kerberos problem exists
- To enable, see 262177, HOW TO Enable Kerberos
Event Logging
265. Gathering and Analyzing Log Files
- Use EventCombMT.exe to collect the security and
system event logs (.evt format) from the PDC,
authenticating DC, and client computers that user
logs onto - Run Lockoutstatus.exe against locked out user
account to find which DCs are involved in the
lockout - Gather Netlogon.log files from the PDC and other
DCs involved in account lockout - Use Nlparse.exe to parse Netlogon logs for
account lockout related events0xC000006A and
0xC0000234
27Netlogon Parsing
- Output from three computers, the PDC DC002, the
authenticating DC DC003, and the member server
MEMSERVER01
28From PDC Emulator (DC002) Netlogon Log
11-Mar 142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC000006A 11-Mar 142831 Transitive Network
logon Tailspintoys\User1 Machine-006 (via DC003)
0xC0000234
29From Authentication DC DC003
11-Mar 142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via MEMSERVER01)
0xC000006A 11-Mar 142830 Transitive Network
logon Tailspintoys\User1 Machine-006 (via
MEMSERVER01) 0xC000006A 11-Mar 142830
Transitive Network logon Tailspintoys\User1
Machine-006 (via MEMSERVER01) 0xC000006A 11-Mar
142830 Transitive Network logon
Tailspintoys\User1 Machine-006 (via MEMSERVER01)
0xC000006A 11-Mar 142831 Transitive Network
logon Tailspintoys\User1 Machine-006 (via
MEMSERVER01) 0xC000006A 11-Mar 142831
Transitive Network logon Tailspintoys\User1
Machine-006 (via MEMSERVER01) 0xC0000234
30From Member Server MEMSERVER01
11-Mar 142831 Network logon Tailspintoys\User1
Machine-006 0xC000006A 11-Mar 142831 Network
logon Tailspintoys\User1 Machine-006 0xC000006A 11
-Mar 142832 Network logon Tailspintoys\User1 Mac
hine-006 0xC000006A 11-Mar 142832 Network
logon Tailspintoys\User1 Machine-006 0xC000006A 11
-Mar 142832 Network logon Tailspintoys\User1 Mac
hine-006 0xC000006A 11-Mar 142832 Network
logon Tailspintoys\User1 Machine-006 0xC0000234
31Reading Domain Controller Audit Logs
- Event 675 Pre-authentication failures
- Shows IP address of the client computer from
which the wrong credentials were sent - Event 644 User Account Locked Out account
management event - Appears only if account management success
auditing is enabled -
32Reading Domain Controller Audit Logs (2)
Example of event 675 in security event log from
PDC emulator Event Type Failure Audit Event
Source Security Event Category Account Logon
Event ID 675 Date 12/5/2001
Time 54726 PM User NT AUTHORITY\SYSTEM
Computer MYCOMPUTER Description
Pre-authentication failed User
Name Myuser User ID S-1-5-21-4235101579-17
59906425-16398432-1114 Service
Name krbtgt/TAILSPINTOYS.COM
Pre-Authentication Type 0x2 Failure
Code 0x18 Client Address 169.16.1.85
33Reading Domain Controller Audit Logs (3)
In this example Failure Code 0x18
Pre-authentication information was invalid or
wrong username or password. Example of event 644
( the user account actually being locked on DC)
Event Type Success Audit Event
Source Security Event Category Account
Management Event ID 644 Date 12/5/2001
Time 54726 PM User Everyone
Computer MYcomputer Description User Account
Locked Out Target Account Name Myuser
Target Account ID S-1-5-21-4235101579-17599064
25-16398432-1114 Caller Machine
Name Mycomputer Caller User Name Mycomputer
Caller Domain TAILSPINTOYS Caller Logon
ID (0x0,0x3E7)
34Reading Client-side Audit Logs
- Event 529 Unknown user name and password
- Look for patterns
- Look for logon type
- Look for logon process
35Example of Event 529
Event Type Failure Audit Event
Source Security Event Category Logon/Logoff
Event ID 529 Date 12/21/2001 Time 20520
PM User NT AUTHORITY\SYSTEM Computer SALTSHAKER
Description Logon Failure Reason Unknown
user name or bad password User Name user66
Domain TAILSPINTOYS Logon Type 2 Logon
Process User32 Authentication
Package Negotiate Workstation Name SALTSHAKER
36Reading Client-side Audit Logs (2)
- Event 531 Account currently disabled
- Shows account locked
37Event 531 of the Account Being Disabled
Event Type Failure Audit Event
Source Security Event Category Logon/Logoff
Event ID 531 Date 12/21/2001 Time 20521
PM User NT AUTHORITY\SYSTEM Computer SALTSHAKER
Description Logon Failure Reason Account
currently disabled User Name user66
Domain TAILSPINTOYS Logon Type 2 Logon
Process User32 Authentication
Package Negotiate
38Logon Types
39Logon Process
40Kerberos Events
- Event ID 4
- Only appears on computers that have Kerberos
logging enabled - 262177, HOW TO Enable Kerberos Event Logging
- PreAuthentication failures
- Account getting locked
41Kerberos Event of User Account Getting Locked Out
Event Type Error Event Source Kerberos Event
Category None Event ID 4 Date 12/21/2001
Time 20521 PM User N/A Computer SALTSHAK
ER Description The function LogonUser received
a Kerberos Error Message on logon session
TAILSPINTOYS \user66 Client Time Server Time
19521.0000 12/21/2001 (null) Error Code 0x12
KDC_ERR_CLIENT_REVOKED Client Realm Client
Name Server Realm TAILSPINTOYS .COM Server
Name krbtgt/TAILSPINTOYS .COM Target Name
krbtgt/TAILSPINTOYS _at_TAILSPINTOYS Error Text
File Line Error Data is in record data.
42Questions to Keep in Mind
- Do the logon attempts occur seconds apart or are
there many 0xC000006A events within the same
second? - What computers are the 0xC000006A events coming
from? - What client computers are appearing in the
Netlogon logs? - What server are the clients getting bad passwords
against? - What accounts are getting 0xC000006A?
- What pattern is getting 0xC000006A and lockouts?
43Account Lockout Tools
- LockoutStatus.exe
- ALockout.dll
- ALOinfo.exe
- Acctinfo.dll
- NLParse
- EventCombMT
- FindStr
- Replmon Repadmin
- Network Monitor
44LockoutStatus.exe
- Displays multiple facets of a locked out account
- Assists in finding the computers involved in the
authentication chain
45LockoutStatus.exe (2)
46Alockout.dll
- The tool attaches itself to various APIs that
make calls to LogonUser and then dumps
information about what is making those calls into
a text file named Alockout.txt in winnt\debug
47Aloinfo.exe
- Aloinfo.exe can be used to dump all user account
names along with their password age - This will allow proactive setup with the
Alockout.dll logging
48Acctinfo.dll
- AcctinfoFO.dll is used to add new property pages
to user objects in Active Directory users and
computers to help isolate or troubleshoot account
lockouts and to change a users password on a DC
in that users site
49Acctinfo.dll (2)
50Acctinfo.dll (3)
51Acctinfo.dll (4)
52EventCombMT
- A multithreaded tool used to gather specific
events from event logs of several different
computers from one central location - Includes a built-in search for an account lockout
that is already preconfigured to include events
529, 644, 675, 676, and 681
53EventCombMT (2)
54Nlparse
- Used to parse Netlogon logs for specific Netlogon
return status codes - The output dumps to a CSV file that can be opened
with Excel and sorted further if you need to - The return codes specific to account lockouts are
0xC000006A and 0xC0000234
55Nlparse (2)
56Findstr
- A command-line tool built into Windows 2000 that
can be used to parse several Netlogon.log files
at once - Put all Netlogon.log files in one directory and
run the following command - FindStr /I User1 netlogon.log gtc\user1.txt
57Replmon and Repadmin
- If Active Directory replication has not already
been verified, Repadmin /showreps and Replmon can
be used to verify proper Active Directory
replication is occuring
58Network Monitor Trace
- If the account lockout is process or application
related and an account is already locked out on a
specific client computer, gather network traces
of all traffic to and from that client computer
while the account is still locked out - The application or process will probably continue
sending bad credentials while trying to access
resources on the network - If you have found the specific computer, but the
user account is not yet locked out, then keep
running Network Monitor until that users next
lockout occurs, and then compare the new lockout
event in Netlogon logs or security logs with the
data captured in the trace by comparing time
stamps of events and frames
59Additional Resources
- Security
- 320053, HOW TO Rename the Administrator and
Guest Account in Windows 2000 - 246261, How to Use the RestrictAnonymous
Registry Value in Windows 2000 - Directory Replication over Firewalls
- 813878, How to Block Specific Network Protocols
and Ports by Using IPSec
60Additional Resources (2)
- Forceunlocklogon
- 329885, Cannot Unlock Workstation with
ForceUnlockLogon and Expired Password - 281250, Information About Unlocking a
Workstation - 188700, Screensaver Password Works Even if
Account Is Locked Out - Password filter
- 274613, Passfilt.dll Does Not Enforce Minimum
Password Length of 6 Characters
61Additional Resources (3)
- Authentication
- 219898, How the Bad Password Count Is
Incremented in Windows NT - 232690, Urgent Replication Triggers in Windows
2000 - 306131, Kerberos Negative Caching Causes Logon
to Not Be Retried on PDC - 272065, Bad Password Attempts Are Repeatedly
Forwarded from Domain Controllers - Logging information
- 262177, HOW TO Enable Kerberos Event Logging
62Additional Resources (4)
- Known issues for Windows 2000 Server and client
- 264678, Increased Account Lockout Frequency in
Windows 2000 - 287639, Client Cannot Log On Even If the Account
Is Unlocked on the PDC - 278299, Reset Locked-Out Account Is Locked Out
with One Bad Password - 292573, ADSI SetPassword Call Does Not Always
Set the Password on Target - 263821, Account Lockout Because BadPwdCount Not
Reset to 0 - 294811, Password Expiration Message After You
Change Your Password - 306133, Account Unlocks and Manual Password
Expirations Not Replicated - 303290, Drive Mapping for Home Folder Overwrites
Local Drive after SP2
63Additional Resources (5)
- Known issues with other applications
- 163576, XGEN Changing the RPC Binding Order
- 173658, XWEB Mailbox Access via OWA Depends on
IIS Token Cache - 328867, XADM MSN Messenger May Cause Domain
Account Lockout After a Password
Change
64Additional Resources (6)
- Call PSS for the following hotfix
- New DS client for Windows 98 and Windows 95
- 323466, INFO Availability of the Directory
Services Client Update for Windows 95 and Windows
98
65- Thank you for joining todays Microsoft Support
- WebCast.
- For information about all upcoming Support
WebCasts, - and access to the archived content (streaming
media - files, PowerPoint slides, and transcripts),
visit - http//support.microsoft.com/webcasts/
- Your feedback is sincerely appreciated. Please
send any - comments or suggestions about the Support
- WebCasts to supweb_at_microsoft.com.