Microsoft Windows NT Server 4.0, Windows 2000, Windows XP, and
the Windows Server 2003 a!il" Ramesh Chinta, Program Manager, Microsoft Corporation Mike Danseglio, Technical Writer, Microsoft Corporation Mike Resnick, Technical Lead, Microsoft Corporation Ac#nowled$e!ents Vincent Abella, Technical Editor, Microsoft Corporation en !a"er, Technical Writer, Microsoft Corporation Emil" Moon, Technical Editor, #$T %n#ite oseph Vasil, #&pport Engineer, Microsoft Corporation %ntroduction Pass'ord and acco&nt locko&t settings are designed to protect acco&nts and data in "o&r organi(ation b" mitigating the threat of br&te force g&essing of acco&nt pass'ords) #ettings in the Acco&nt Locko&t and Pass'ord Polic" nodes of the Defa< Domain polic" settings enable acco&nt locko&t and control ho' acco&nt locko&t operates) This 'hite paper describes ho' these settings affect acco&nt locko&t and makes some general recommendations for config&ring and tro&bleshooting acco&nt locko&t iss&es) Account &oc#out and Password 'once(ts Pass'ords are an important step in a sec&rit" plan for "o&r net'ork) *sers ma" see pass'ords as a n&isance+ ho'e,er, the sec&rit" of "o&r enterprise relies on a combination of pass'ord length, pass'ord &ni-&eness, and pass'ord lifespan) These three items help defend against dictionar" attacks and br&te force attacks) A dictionar" attack occ&rs 'hen a malicio&s &ser tries kno'n 'ords that are in the dictionar" and a n&mber of common pass'ord names to tr" and g&ess a pass'ord) A br&te force attack occ&rs 'hen a malicio&s &ser tries all of the possible perm&tations &ntil one is s&ccessf&l) !eca&se most &sers prefer pass'ords that the" can easil" remember, dictionar" attacks are often an effecti,e method for a malicio&s &ser to find a pass'ord in significantl" less time than the" 'o&ld 'ith br&te force attacks) Therefore, the strength of a pass'ord depends on ho' man" characters are in the pass'ord, ho' 'ell the pass'ord is protected from being re,ealed b" the o'ner, ho' 'ell the pass'ord is protected if it is intercepted b" a malicio&s &ser on the net'ork, and ho' diffic< the pass'ord is to g&ess) E,en good pass'ords that are protected b" cr"ptograph" on the net'ork and that are not s&b.ect to dictionar" attacks can be disco,ered b" br&te force in a fe' 'eeks or months b" a malicio&s &ser 'ho intercepts the pass'ord on the net'ork) C&rrentl", se,eral attack methods are based on g&essing 'eak pass'ords b" &sing dictionar" and br&te force attacks) /or a fe' simple 'a"s to help pre,ent these attacks, see 0Protecting from E1ternal Locko&t Denial of #er,ice Attacks0 in this doc&ment for ports to block and registr" ,al&es that "o& can set to help pre,ent s&ch attacks) /re-&entl", a malicio&s &ser 'ill g&ess a n&mber of pass'ords d&ring a pass'ord2based attack) To help pre,ent the attacks from being s&ccessf&l, "o& can config&re acco&nt locko&t settings) The res< of this config&ration is that the associated acco&nt is temporaril" disabled after a specified n&mber of incorrect pass'ords are tried) This helps to pre,ent a s&ccessf&l attack b" pre,enting the acco&nt from being &sed) 3o'e,er, a legitimate &ser cannot &se that acco&nt &ntil it is &nlocked) This paper disc&sses the balance bet'een the benefits and risks of acco&nt locko&t) )nderstandin$ Password 'o!(le*it" A comple1 pass'ord that is enforced b" the operating s"stem is one of the most effecti,e methods that "o& can &se to deter the opport&nit" for a s&ccessf&l attack) When "o& config&re both an e1piration time and a minim&m length for a pass'ord, "o& decrease the time in 'hich a s&ccessf&l attack co&ld occ&r) /or e1ample, 'hen "o& enforce pass'ord comple1it" 'ith a pass'ord length of 4 and set the pass'ord to e1pire in 45 da"s, a &ser can choose from a perm&tation of6 74 lo'ercase characters 74 &ppercase characters 87 special characters 95 n&mbers This means that6 74 : 74 : 87 : 95 ; <= possible characters in a pass'ord Pass'ord length polic" ; 4 <= 4 ; 4><,>4<,?>9,5@4 &ni-&e pass'ord perm&tations With a 452da" pass'ord e1piration time, the malicio&s &ser 'o&ld ha,e to make 988,5?4 pass'ord attempts e,er" second to attempt all of the possible pass'ords d&ring that pass'ordAs limited lifetime) Bf it takes onl" @5 percent of the perm&tations to g&ess the pass'ord, a malicio&s &ser 'o&ld ha,e to attempt to log on to the comp&ter abo&t 44,@8> C988,5?4 D )@5E times e,er" second to disco,er the pass'ord before it e1pires) To decrease the chances that a malicio&s &ser has to disco,er the pass'ord, "o& can &se a pass'ord length of ?) When "o& set the minim&m pass'ord length to ?, the possible pass'ord perm&tations e1ceed 4= trillion C<= ? ; 4=,>=?,?@<,=9<,74=E) When "o& compare the calc&lations abo,e that ha,e a pass'ord length of 4 to the calc&lations belo' that ha,e a pass'ord length of ?, "o& 'ill notice that the malicio&s &ser 'o&ld ha,e to log on to the comp&ter abo&t 4,7@=,454 times for each second that the pass'ord is ,alid in the 452da" e1piration time that "o& set) The follo'ing list describes ho' increasing pass'ord length deters both dictionar" and br&te force attacks) Fote that the e1amples that are in this list ass&me that "o& are ha,e applied a polic" that re-&ires &sers to create comple1 pass'ords) When "o& do this, there are <= possible characters from 'hich the &sers can choose their pass'ord) 4 characters6 <= 4 ; 4><,>4<,?>9,5@4 ? characters6 <= ? ; 4=,>=?,?@<,=9<,74= > characters6 <= > ; 4,5<@,4><,8>@,=95,>94 < characters6 <= < ; @?7,<<=,>57,77>,494,?5= 95 characters6 <= 95 ; @8,>49,@99,=5<,=><,<?5,9?4 Note A fe' of these pass'ord possibilities are not ,alid) !" defa<, &sers cannot choose an" part of their &ser name for their pass'ord and the" cannot &se all of the same characters as a pass'ord) !eca&se of this, these pass'ord possibilities m&st be ded&cted from the total n&mber of possible pass'ords that are listed abo,e) !eca&se there are ,er" fe' pass'ords that appl" to these e1ceptions and beca&se the n&mber of pass'ords that do appl" to these e1ceptions can ,ar" Cbased on the n&mber of letters that are in the &serAs logon nameE, this doc&ment does not acco&nt for these e1ceptions) These statistics e1plain ho' diffic< it is for a malicio&s &ser to disco,er a pass'ord 'hen "o& re-&ire the &sers in "o&r net'ork to &se a comple1 pass'ord) !eca&se of this, Microsoft recommends that "o& enforce a comple1 pass'ord polic" that re-&ires &sers to choose pass'ords 'ith a specific n&mber of characters for the sec&rit" needs of "o&r organi(ation) The 0Pass'ord Policies #ettings0 section in this doc&ment describes the comple1 pass'ord policies and settings for Microsoft Windo's FT #er,er =)5, the Windo's 7555 famil", and the Windo's #er,er 7558 famil" of operating s"stems) Microsoft recommends that "o& &se the acco&nt locko&t feat&re to help deter malicio&s &sers and some t"pes of a&tomated attacks from disco,ering &ser pass'ords) The follo'ing section pro,ides more information abo&t ho' "o& can &se the acco&nt locko&t feat&re) Authentication A&thentication is the process of ,alidating a &ser name and pass'ord on a domain controller for6 The initial logon to either a 'orkstation or domain that &ses the CTRL:ALT:DELETE sec&re logon se-&ence) An attempt to &nlock a locked 'orkstation b" &sing the CTRL:ALT:DELETE sec&re logon se-&ence) An attempt to t"pe a pass'ord for a pass'ord2protected screen sa,er) A &ser, script, program, or ser,ice that attempts to connect to a net'ork reso&rce b" &sing either a mapped dri,e or a *ni,ersal Faming Con,ention C*FCE path) Note An acco&nt that is locked o&t ma" still be able to gain access to some reso&rces if the &ser has a ,alid Gerberos ticket to the reso&rce) The abilit" to access the reso&rce ends 'hen the Gerberos ticket e1pires) 3o'e,er, neither a &ser 'ho is locked o&t nor a comp&ter acco&nt can rene' the ticket) Gerberos cannot grant a ne' ticket to the reso&rce beca&se the acco&nt is locked o&t) There are t'o primar" a&thentication protocols &sed b" Windo's6 FTLM and Gerberos) This paper ass&mes "o& are familiar 'ith these a&thentication protocols and does not foc&s on a&thentication details) Bnstead, the foc&s is placed on ho' a&thentication pla"s a role in acco&nt locko&t) /or more information on a&thentication protocols, see online help in Windo's HP and the Windo's #er,er 7558 famil") +ow ,o!ain 'ontrollers -erif" Passwords To ill&strate the a&thentication process, the follo'ing diagram describes the steps that occ&r 'hen a logon attempt does not 'ork) i$ure . Process for a ailed &o$on Atte!(t 1. The client comp&ter presents the &ser logon information to a domain controller) This incl&des the &serIs acco&nt name and a cr"ptographic hash of their pass'ord) This information can be sent to an" domain controller and is t"picall" sent to the domain controller that is identified as the closest domain controller to the client comp&ter) 2. When a domain controller detects that an a&thentication attempt did not 'ork and a condition of #TAT*#JWR%FKJPA##W%RD, #TAT*#JPA##W%RDJEHPBRED, #TAT*#JPA##W%RDJM*#TJC3AFKE, or #TAT*#JACC%*FTJL%CGEDJ%*T is ret&rned, the domain controller for'ards the a&thentication attempt to the primar" domain controller CPDCE em&lator operations master) Essentiall", the domain controller -&eries the PDC to a&thoritati,el" determine if the pass'ord is c&rrent) The domain controller -&eries the PDC for this information beca&se the domain controller ma" not ha,e the most c&rrent pass'ord for the &ser b&t, b" design, the PDC em&lator operations master al'a"s has the most c&rrent pass'ord) 3. The a&thentication re-&est is retried b" the PDC em&lator operations master to ,erif" that the pass'ord is correct) Bf the PDC em&lator operations master re.ects the bad pass'ord, the PDC em&lator operations master increments the /adPwd'ount attrib&te for that &ser ob.ect) The PDC is the a&thorit" on the &serAs pass'ord ,alidit") 4. The failed logon res< information is sent b" the PDC em&lator operations master to the a&thenticating domain controller) 5. The a&thenticating domain controller also increments its cop" of the /adPwd'ount attrib&te for the &ser ob.ect) 6. The a&thenticating domain controller then sends a response to the client comp&ter that notifies the domain controller that the logon attempt did not 'ork) As long as that &ser, program, or ser,ice contin&es to send incorrect credentials to the a&thenticating domain controller, logon attempts that failed beca&se of an incorrect pass'ord contin&e to be for'arded to the PDC &ntil the threshold ,al&e for incorrect logon attempts is reached Cif "o& set it in a polic"E) When this occ&rs, the acco&nt is locked o&t) /or more information, see 03o' the !ad Pass'ord Co&nt Bs Bncremented in Windo's FT0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;79<><>) New eatures in the Windows Server 2003 a!il" Bn the Windo's #er,er 7558 famil" of operating s"stems, Microsoft has impro,ed the f&nction of the Acco&nt Locko&t feat&re on both ser,ers and client comp&ters) 'o!(uters 0unnin$ Windows Server 2003 That Act As Networ# Servers To impro,e the e1perience for &sers and to decrease the o,erall total cost of o'nership, Microsoft made the follo'ing changes to the beha,ior of domain controllers in the Windo's #er,er 7558 famil"6 Password histor" chec# 1N2236 !efore a Windo's #er,er 7558 operating s"stem increments /adPwd'ount, it checks the in,alid pass'ord against the pass'ord histor") Bf the pass'ord is the same as one of the last t'o entries that are in the pass'ord histor", /adPwd'ount is not incremented for both FTLM and the Gerberos protocol) This change to domain controllers sho&ld red&ce the n&mber of locko&ts that occ&r beca&se of &ser error) Sin$le user o/4ect 5on de!and6 re(lication6 #ee the 0*rgent Replication0 section in this doc&ment for more information) 7(ti!i8ed re(lication fre9uenc"6 The defa< fre-&enc" for replication bet'een sites is to replicate e,er" 8 ho&rs) This optimi(ation impro,es the replication of a pass'ord change in a site beca&se it decreases the chances that the domain controller 'o&ld ha,e to contact the PDC operations master) 'o!(uters 0unnin$ Windows Server 2003 a!il" Actin$ As Networ# 'lients Microsoft has added the follo'ing feat&res in the Windo's #er,er 7558 famil" to gather the process BD that is &sing the credentials that fail a&thentication6 Auditin$ lo$on chan$es6 There are entries for all logon and logoff e,ents C@7> and @=5, as 'ell as @7< thro&gh @8<E) Auditin$ of (rocesses encounterin$ authentication failures6 Fe' information is added to the #ec&rit" e,ent log 'hen a&thentication fail&res occ&r6 Caller *ser Fame Caller Domain Caller Logon BD Caller Process BD Note To &se the process BD, t&rn on s&ccess a&diting for Audit (rocess trac#in$ e,ents so that "o& can obtain the process identifier CPBDE for the associated E,ent @<7) Bf "o& do not do this, the PBD is not &sef&l after the process stops) To ,ie' a&dit process tracking, in the Kro&p Polic" Microsoft Management Console CMMCE, in the console tree, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click &ocal Policies, and then do&ble2click Audit Polic") Microsoft has added the follo'ing administrati,e enhancements to pro,ide more acco&nt locko&t information than the information that is a,ailable in the defa< config&ration of the Windo's #er,er 7558 famil"6 Acct%nfo.dll6 The AcctBnfo)dll file is a propert" page e1tension for &ser ob.ects in the Acti,e Director" *sers and Comp&ters MMC that pro,ides detailed information abo&t &ser pass'ord attrib&tes) An administrator can &se the AcctBnfo)dll file to reset &ser acco&nt pass'ords on a domain controller that is in the &serAs Acti,e Director" site) &oc#outStatus.e*e6 The Locko&t#tat&s)e1e tool displa"s bad pass'ord co&nt and time information from all of the domain controllers that are in a domain) Oo& can r&n this tool as either a stand2alone tool or as an e1tension to the AcctBnfo)dll file 'hen "o& place it in the SystemrootP#"stem87 folder on "o&r comp&ter) More information abo&t both AcctBnfo)dll and Locko&t#tat&s)e1e is a,ailable in 0Acco&nt Locko&t Tools0 in this doc&ment) 'onfi$urin$ Account &oc#out Settin$s To enable the Acco&nt Locko&t polic" settings for both domain and local &sers, config&re the settings that are described in this section) 0eco!!ended Service Pac#s and +otfi*es #ec&rit" iss&es in Windo's operating s"stems are disco,ered and fi1ed often) These fi1es often ha,e an impact on acco&nt locko&t and pass'ord polic" feat&res, as 'ell as their dependent components) Therefore, "o& sho&ld appl" the latest ser,ice packs and hotfi1es to all of the domain controllers, ser,ers, and clients to ens&re that the acco&nt sec&rit" settings that "o& 'ant are applied and to ens&re that the domain controllers and operating s"stems are &p2to2date) Fote that ser,ice packs resol,e gro&ps of iss&es and hotfi1es resol,e a specific iss&e) Oo& sho&ld ha,e an ongoing strateg" to keep "o&r comp&ters &pdated and protected against ,ir&ses, tro.ans, and so on, that ma" &se ,&lnerabilities that are alread" fi1ed) /or more information abo&t ho' to create a soft'are &pdate strateg", refer to 3elp and #&pport Center in the Windo's #er,er 7558 famil" and Windo's HP, or refer to 3elp in Windo's 7555) !eca&se these iss&es are disco,ered and fi1ed on an ongoing basis, the" are not listed in this doc&ment) /or more information, see 0#er,ice Packs and 3otfi1es A,ailable to Resol,e Acco&nt Locko&t Bss&es0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;>9??59) 'onfi$urin$ Account &oc#out The acco&nt locko&t polic" settings are designed to help pre,ent a br&te force attack on &ser pass'ords) This section describes 'here "o& can config&re the setting, as 'ell as some things that "o& sho&ld consider before "o& &se the settings) 'onfi$urin$ Account &oc#out for ,o!ain )sers /or domain &sers, set the appropriate ,al&es b" config&ring the defa< domain polic" in the console tree) To config&re the defa< domain polic", open the Kro&p Polic" MMC, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click Account Policies, and then do&ble2click Account &oc#out Polic") /or more detailed steps, see 0Acco&nt Locko&t #ettings0 in this doc&ment) 'onfi$urin$ Account &oc#out for &ocal )sers /or a stand2alone 'orkstation, set the appropriate registr" ,al&es b" config&ring the local polic"6 1. Click Start, click 0un, t"pe $(edit.!sc, and then press EFTER) 2. Bn the Kro&p Polic" %b.ect Editor MMC, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click Account Policies, and then do&ble2click Account &oc#out Polic") 3. Bn the details pane, right2click the polic" setting that "o& 'ant, and then click Pro(erties) 4. Bf "o& are defining this polic" setting for the first time, click ,efine this (olic" settin$) 5. #elect the options that "o& 'ant, and then click 7:) Microsoft recommends that "o& do not e1empt the pri,ileged acco&nts from pass'ord policies) Oo&r pri,ileged acco&nts sho&ld ha,e comple1 pass'ords, an e1piration period, and the pass'ords sho&ld be a minim&m of fifteen characters in length) Microsoft also recommends that "o& also protect the local acco&nts Cnon2domain clientsE b" &sing a local pass'ord polic" for all &sers) /or all 'orkstations in a domain, set a domain2le,el Kro&p Polic" ob.ect CKP%E and filter it to appl" to the domain member comp&ter) 'hoosin$ Account &oc#out Settin$s for ;our ,e(lo"!ent This section describes the ramifications of changing the ,ario&s settings and a 'a" to estimate the diffic<" of &sing the br&te force method of pass'ord g&essing 'ith a certain config&ration) Like other settings that are associated 'ith pass'ords, choosing settings for acco&nt locko&t in,ol,es balancing the benefits and dra'backs bet'een sec&rit", &sabilit", and cost) The primar" consideration is ho' m&ch risk is acceptable 'hen "o& config&re the pass'ord polic" of the domain) /or e1ample, consider the follo'ing t'o domain config&rations6 *ser acco&nts that are in domain A ha,e a minim&m pass'ord length of 8 characters, no pass'ord comple1it" re-&irements, and pass'ords ne,er e1pire) *ser acco&nts that are in domain ! ha,e a minim&m pass'ord length of 4 characters, pass'ord comple1it", and pass'ords in the domain e1pire in =7 da"s) There is less risk of a malicio&s &ser g&essing the pass'ord of a domain ! &ser+ for the same risk tolerance, domain ! can ha,e a less stringent acco&nt locko&t polic") Whether "o& set the &oc#out,uration registr" ,al&e to 5 or not also has an important on the setting that is permitted for both the 7/servationWindow and &oc#outThreshold registr" ,al&es) As an e1ample, ass&me that the administrator resets the pass'ord 'hen the acco&nt is locked 'ith &oc#out,uration registr" ,al&e of 5) With the &oc#out,uration registr" ,al&e set to 5 and the &oc#outThreshold registr" ,al&e set to 75, the malicio&s &ser has 75 g&esses to &se against that pass'ord) Bf the locko&t d&ration is 85 min&tes, the malicio&s &ser has 75 g&esses e,er" 85 min&tes against that pass'ord &ntil it is changed) This is a ,er" significant difference in the total n&mber of g&esses that are a,ailable to the malicio&s &ser) Bn comparison, if the administrator sets the ma1im&m pass'ord age to =7 da"s, the first malicio&s &ser has onl" 75 g&esses against an" gi,en pass'ord, 'hile the second malicio&s &ser has =5,875 g&esses C75 tries for e,er locko&t, m<iplied b" => locko&ts e,er" da", m<iplied b" =7 da"s before the &ser changes the pass'ordE) With the defa< pass'ord settings, there are appro1imatel" 95 97 possible pass'ords) This means that the malicio&s &ser has appro1imatel" a ) 55555= percent CQE chance of g&essing the pass'ord) With an optimi(ed g&essing scheme, this percentage 'o&ld most likel" be a larger percentage) This e1ample demonstrates that setting the &oc#out,uration registr" ,al&e to 5 allo's the &oc#outThreshold registr" ,al&e to be a significantl" higher n&mber for e-&i,alent risk tolerance) Bf "o& increase the &oc#outThreshold registr" ,al&e, "o& help to red&ce the beha,ior of a &ser accidentall" locking themsel,es o&t of their comp&ter) When "o& choose the setting for acco&nt locko&t, it is important that "o& consider the inherent denial of ser,ice that is associated 'ith a locked o&t acco&nt) Bdeall", the onl" acco&nts that are locked o&t are the acco&nts that are being attacked) 3o'e,er, the comp&ter cannot determine the difference bet'een a &ser t"ping an incorrect pass'ord or an a&tomated task that is &sing an incorrect pass'ord) As a res<, from the &serIs perspecti,e, &sers 'ho are tr"ing to perform their dail" tasks ma" be s&ddenl" &nable to perform their 'ork, 'hich inc&rs both the cost of s&pport to the domain and the cost of lost 'ork) The lo'er the ,al&e that "o& set for the &oc#outThreshold registr" ,al&e, the more likel" this beha,ior is to occ&r) The length of the 7/servationWindow registr" ,al&e has m&ch less effect on this beha,ior than the &oc#outThreshold registr" ,al&e) Microsoft recommends that "o& reg&larl" re,ie' the #ec&rit" e,ent logs of all comp&ters so that "o& are a'are of an" patterns that might sho' an attack or &ser error) The ,al&es that are necessar" to identif" specific malicio&s &sers and targets can be obtained onl" after "o& implement the a&diting policies that are mentioned in the 0Appendi1 T'o6 Kathering Bnformation to Tro&bleshoot Acco&nt Locko&t Bss&es0 section in this doc&ment) Microsoft offers an e,ent log monitoring sol&tion, Microsoft %perations Manager CM%ME, that "o& can script 'ith responses) This tool also has man" other b&ilt2in actions that "o& can &se) /or more information abo&t M%M, see the M%M Web sitehttp6MM''')microsoft)comMmomMdefa<)asp) Note Web addresses can change, so "o& might be &nable to connect to the Web site or sites mentioned here) &oc#outThreshold vs. 7/servationWindow Bn general, the &oc#outThreshold ,al&e has more of an effect on ho' the comp&ter beha,es than the 7/servationWindow ,al&e) Most logon attempts that do not 'ork occ&r d&ring a ,er" short period of time) !eca&se of this, the period of time is inside of the 7/servationWindow time) *sers rarel" t"pe a bad pass'ord man" times in a ro', so the &oc#outThreshold ,al&e is rarel" e1ceeded) The e1ception to this is the en,ironment 'here the &oc#outThreshold registr" ,al&e is set so lo' that a &ser co&ld accidentall" mist"pe their pass'ord often eno&gh to lock themsel,es o&t Cfor e1ample, if "o& set the &oc#outThreshold ,al&e to 7E) Malicio&s pass'ord attacks are almost al'a"s a&tomated) A &ser t"picall" locks themsel,es o&t of their comp&ter 'hen the" t"pe a bad pass'ord once and tr" to t"pe that same bad pass'ord o,er and o,er again) 0eco!!ended Account &oc#out Settin$s The sec&rit" config&ration for an organi(ation is determined b" the le,el of protection that is re-&ired in the organi(ationAs en,ironment) Bn some lo'2sec&rit" scenarios Cs&ch as in a small office 'here no sensiti,e information is stored in the s"stemE, a simple pass'ord polic" ma" be s&fficient to protect the reso&rces) 3o'e,er, in a high2sec&rit" en,ironment Cs&ch as in a banking s"stemE, m&ch stronger sec&rit" protection is desired) Oo& sho&ld &se acco&nt locko&t and strong pass'ord policies in these en,ironments) Bn all e1amples, the stronger the sec&rit" that is implemented, the higher the cost that is associated 'ith maintaining that sec&rit") The follo'ing table pro,ides recommended acco&nt locko&t settings for man" different sec&rit" config&rations) Ta/le . 0eco!!ended Account &oc#out Settin$s Securit" cate$or" Account loc#out settin$s 'ost Threshold 7/servation window &oc#out duration &ow FMA FMA FMA &ow Mediu! 95 85 85 Mediu! +i$h 95 85 BnfiniteM5 +i$h Note 0Cost0 incl&des do'ntime cost for the &ser 'hose acco&nt is locked o&t, as 'ell as s&pport cost for ser,icing the locked o&t acco&nt) 0eco!!ended Password Polic" Settin$s The table belo' pro,ides recommended pass'ord polic" settings for ,ario&s sec&rit" config&rations) Ta/le 2 0eco!!ended Password Polic" Settin$s Securit" 'ate$or" Password (olic" settin$s 'ost Password histor" Ma*i!u! (assword a$e Mini!u! (assword a$e Mini!u! (assword len$th 'o!(le*it" &ow 8 =7 5 5 disabled &ow Mediu! 7= =7 9 ? enabled Mediu! +i$h 7= =7 9 > enabled +i$h <eneral 0eco!!endations for Account &oc#out and Password Polic" Settin$s Bn addition to the specific acco&nt locko&t and pass'ord polic" settings in the pre,io&s tables, there are some other config&ration changes that ma" help "o& achie,e the le,el of sec&rit" that "o& 'ant) These incl&de6 When "o& enable acco&nt locko&t, set the orce)nloc#&o$on registr" ,al&e to 9) This setting re-&ires that Windo's re2a&thenticates the &ser 'ith a domain controller 'hen that &ser &nlocks a comp&ter) This helps to ens&re that a &ser cannot &se a pre,io&sl"2cached pass'ord to &nlock their comp&ter after the acco&nt is locked o&t) /alse locko&ts can occ&r if "o& set the &oc#outThreshold registr" ,al&e to a ,al&e that is lo'er than the defa< ,al&e of 95) This is beca&se &sers and programs can retr" bad pass'ords fre-&entl" eno&gh to lock o&t the &ser acco&nt) This adds to administrati,e costs) After "o& &nlock an acco&nt that is locked o&t, ,erif" that the &oc#out,uration ,al&e is set) Oo& sho&ld do this beca&se the ,al&e ma" ha,e changed d&ring the acco&nt &nlock process) Caref&ll" consider setting the &oc#out,uration registr" ,al&e to 5) When "o& appl" this setting, "o& ma" inc&r additional administrati,e labor b" re-&iring administrators to man&all" &nlock a locked o&t &ser acco&nt) Altho&gh this does increase sec&rit", the increased labor dra'back ma" o&t'eigh the sec&rit" benefit) Define acco&nt locko&t and pass'ord policies once in e,er" domain) Ens&re that these policies are defined onl" in the defa< domain polic") This helps to a,oid conflicting and &ne1pected polic" settings) *nlock an acco&nt from a comp&ter that is in the same Acti,e Director" site as the acco&nt) !" &nlocking the acco&nt in the local site, &rgent replication occ&rs in that site 'hich triggers immediate replication of the change) !eca&se of this, the &ser acco&nt sho&ld be able to regain access to reso&rces faster than 'aiting for replication to occ&r) Fote that the AcctBnfo)dll tool helps to identif" an appropriate domain controller and &nlock the acco&nt) /or more information abo&t AcctBnfo)dll, see the 0Acco&nt Locko&t Tools0 section in this doc&ment) Protectin$ fro! =*ternal Account &oc#out ,enial of Service Attac#s Bt is possible for a malicio&s &ser to la&nch a denial2of2ser,ice attack against "o&r enterprise from o&tside of "o&r net'ork) !eca&se most net'orks are interconnected, this can be a diffic< attack to mitigate) The follo'ing techni-&es technologies are common techni-&es and technologies that "o& can &se to help mitigate or pre,ent s&ch attacks6 0e9uire co!(le* (asswords6 All acco&nts sho&ld ha,e a comple1 pass'ord) All administrator acco&nts Clocal and domainE sho&ld ha,e a long, comple1 pass'ord and "o& sho&ld change the pass'ord reg&larl") 0ena!e the ad!inistrator account6 !eca&se the administrator acco&nt cannot be locked o&t, it is recommended that "o& rename the acco&nt) Altho&gh this does not mitigate all of the attacks against the administrator acco&nt, it does help mitigate these attacks most of the time) /or more information, see 03%W T%6 Rename the Administrator and K&est Acco&nt in Windo's 75550 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;8755@8) Protect "our environ!ent with firewalls6 To a,oid an acco&nt locko&t denial of ser,ice attack, block the TCP and *DP ports 98@ thro&gh 98< and port ==@ on "o&r ro&ters and fire'alls) When "o& do this, "o& pre,ent logon attempts that occ&r o&tside of "o&r net'ork) Prevent anon"!ous access6 #et the 0estrictAnon"!ous ,al&e to 7 on all comp&ters that are e1posed to the internet and to the entire domain if all of the comp&ters are r&nning ,ersions of Windo's 7555 or later) This stops malicio&s &sers from making anon"mo&s connections to reso&rces and ma" help defeat some t"pes of attacks) Fote that some operating s"stems ha,e limited s&pport for comp&ters that ha,e this setting) #ome programs ma" also ha,e iss&es 'ith this setting if the programs &se an anon"mo&s connection to gain access to reso&rces) /or more information, see 03o' to *se the 0estrictAnon"!ous Registr" Val&e in Windo's 75550 on the Microsoft Gno'ledge !asehttp6MMs&pport)microsoft)comMNid;7=4749) Protect site2to2site traffic /" usin$ a -PN tunnel6 Bf comm&nication bet'een domain members in t'o sites is re-&ired, &se a site2to2site VPF t&nnel to sec&rel" connect site net'orks together) Do not open all Fet!B%# ports on the fire'all) Oo& can &se the Windo's 7555 #er,er Ro&ting and Remote Access ser,ice to create site2to2site VPF t&nnels) Bf no VPF de,ices are a,ailable, "o& sho&ld config&re the edge fire'all or ro&ter filters to limit the traffic that is permitted to flo' bet'een the Bnternet Protocol CBPE address ranges that are &sed b" each site) Bf sites need to &se Acti,e Director" replication onl" across the Bnternet, then &se Bnternet Protocol sec&rit" CBP#ecE transport mode thro&gh the fire'alls to sec&re all traffic bet'een Acti,e Director" ser,ers) /or more information abo&t Acti,e Director" replication thro&gh fire'alls, see the 0Acti,e Director" Replication o,er /ire'alls0 'hite paper on the Microsoft Web siteL http6MM''')microsoft)comMser,icepro,idersMcol&mnsMconfigJipsecJp48478)asp) Protectin$ authentication and Net>%7S (orts fro! %nternet attac#6 %n either the fire'all or the ro&ter that connects "o&r internal net'ork to the Bnternet, block access to TCP and *DP ports 98@ thro&gh 98< and port ==@) Bf no edge filtering de,ice is a,ailable, "o& can &se BP#ec filters to block these ports) To do this, &se the config&ration that is described in 03o' to !lock #pecific Fet'ork Protocols and Ports b" *sing BP#ec0 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;>98>?>) Bn the same BP#ec polic", "o& m&st create an additional r&le that adds filters to permit traffic to these ports 'hen the so&rce address is in a s&bnet that is &sed b" the internal net'ork) To do this, &se the config&ration that is described in 03o' to !lock #pecific Fet'ork Protocols and Ports b" *sing BP#ec0 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMN id;>98>?>) Protectin$ authentication and Net>%7S (orts fro! internal attac#6 Bf "o& m&st protect access to both a&thentication and Fet!B%# ports from internal malicio&s &sers, "o& can restrict the comp&ters that are permitted to gain access to these ports to onl" domain member comp&ters b" &sing the feat&re in BP#ec that allo's "o& to negotiate sec&rit") !" allo'ing onl" tr&sted comp&ters Cdomain member comp&tersE to gain access to both a&thentication and Fet!B%# ports, "o& red&ce the n&mber of comp&ters that can perform the attack) This e1tra protection pro,ides a defense against an" breaches in "o&r sec&rit" perimeter and against malicio&s &sers 'ho can connect to the internal net'ork) /or information abo&t ho' to create a c&stom BP#ec polic" to &se Gerberos a&thentication 'hen negotiating BP#ec sec&rit" for access to TCP and *DP ports 98@ thro&gh 98< and port ==@ see the 0#tep2b"2#tep K&ide to Bnternet Protocol #ec&rit" CBP#ecE0 on the Microsoft Web siteL http6MM''')microsoft)comM'indo's7555MtechinfoMplanningMsec&rit"Mipsecsteps)asp) )(date the server6 Geep all of "o&r ser,ers &p2to2date 'ith c&rrent ,ersions of anti,ir&s soft'are, fire'all soft'are, and Windo's sec&rit" patches) This helps pre,ent tro.an horse programs and ,ir&ses from attacking "o&r reso&rces if the malicio&s &ser can la&nch an attack from "o&r internal net'ork instead of from the Bnternet) These &pdates are an important part of an in2depth and defensi,e sec&rit" strateg") ,etails of Account &oc#out Settin$s and Processes With the acco&nt locko&t feat&re enabled, access to the acco&nt is denied 'hen the n&mber of logon attempts that did not 'ork e1ceeds the &oc#outThreshold registr" ,al&e Cthe acco&nt locko&t thresholdE in a specified amo&nt of time) A locked2o&t acco&nt cannot be &sed &ntil it is reset b" an administrator or &ntil the locko&t d&ration for that acco&nt e1pires) Acco&nt Locko&t is disabled on defa< installations of Windo's FT #er,er =)5, Windo's 7555, and Windo's #er,er 7558 domains) Acco&nt locko&t operation is enabled after the domain administrator enables settings in the defa< domain polic") The polic" settings remain enabled 'hen "o& &pgrade domain controllers to a later ,ersion of an operating s"stem) Altho&gh the Kro&p Polic" %b.ect Editor appears to s&pport acco&nt locko&t and pass'ord polic" in each organi(ational &nit, these settings act&all" occ&r across the domain+ "o& m&st define the settings on the root organi(ational &nit for the domain) Microsoft recommends that "o& define acco&nt locko&t and pass'ord policies in onl" one Kro&p Polic" ob.ect CKP%E for e,er" domain Cin the Defa< Domain polic" settingsE) Password Polic" Settin$s The first step that "o& sho&ld &se to sec&re "o&r net'ork is to enforce pass'ord polic" settings) When "o& implement a sec&re pass'ord polic", "o& ma" not need to implement the acco&nt locko&t feat&re) Password 'o!(le*it" Pass'ords, b" defa<, can incl&de an" combination of characters+ pass'ords can also be blank) Microsoft recommends that "o& re-&ire the &se of comple1 pass'ords to help ens&re that pass'ords pro,ide the best sec&rit" possible) These comple1 pass'ords are m&ch more resistant to attack than blank or simple pass'ords) To enforce pass'ord comple1it" in "o&r organi(ation, "o& can enable the Password !ust !eet co!(le*it" re9uire!ents sec&rit" setting) The comple1it" re-&irements enforced b" this setting are stored in Passfilt)dll) Bn Windo's 7555 operating s"stems and later, Passfilt)dll is b&ilt into the operating s"stem) Bn Windo's FT #er,er =)5, "o& m&st add the Passfilt)dll file to the operating s"stem to achie,e the same res<s) Passfilt)dll is incl&ded in Windo's FT #er,er =)5 #er,ice Pack 7 and in later ser,ice packs) !" defa<, comple1 pass'ords enforced b" Passfilt)dll ha,e the follo'ing properties6 Do not contain all or part of the &serAs acco&nt name) Contain characters from three of the follo'ing fo&r categories6 English &ppercase characters CA thro&gh RE) English lo'ercase characters Ca thro&gh (E) !ase295 digits C5 thro&gh <E) Fon2alphan&meric Cfor e1ample, S, T, U, QE) e1tended A#CBB, s"mbolic, or ling&istic characters) Note Depending on "o&r en,ironment, &sing e1tended A#CBB, s"mbolic, or ling&istic characters in pass'ords can ha,e &ne1pected res<s) Bt is highl" recommended that "o& test these characters before &sing them in prod&ction) When implementing this polic", it is recommended to inform "o&r &sers of the change in polic" so that a smooth transition can take place from a simple pass'ord to a comple1 pass'ord) %ther'ise, &sers ma" be conf&sed b" the ne' pass'ord criteria and circ&m,ent sec&rit" to a,oid the diffic<") Oo& can create and register "o&r o'n c&stom pass'ord filter if "o& 'ant to modif" the comple1it" re-&irements enforced in the sec&rit" setting) /or information abo&t ho' to create a Passfilt)dll file, see 0Pass'ord /ilters0 on the M#DF Web siteLhttp6MMmsdn)microsoft)comMlibrar"Mdefa<)aspN &rl;Mlibrar"Men2&sMsec&rit"Msec&rit"Mpass'ordJfilters)asp) Password +istor" Oo& can &se the Pass'ord 3istor" setting to pre,ent &sers from repeatedl" &sing the same pass'ord) When "o& &se the pass'ord histor" feat&re, a &ser is pre,ented from &sing pass'ords that the" &sed in the past, &p to the n&mber of pass'ords that "o& specif") Oo& can config&re Windo's to retain bet'een 5 and 7= pass'ords b" &sing the Pass'ord 3istor" feat&re) Microsoft recommends that "o& set the pass'ord histor" to the ma1im&m ,al&e to help ens&re the least amo&nt of pass'ord re&se b" &sers) Bn the Windo's 7555 #er,er famil" and later, the location of the pass'ord histor" is in the Defa< Domain polic" settings at Comp&ter Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPEnforce Pass'ord 3istor") Valid non2(ero ,al&es are bet'een 9 and 7=) The defa< ,al&e is 7= for domain controllers r&nning a member of the Windo's #er,er 7558 famil", 8 for domain controllers r&nning a member of the Windo's 7555 famil", and 5 for all other Windo's operating s"stems) Mini!u! Password &en$th Oo& can &se the Mini!u! Password &en$th setting to decrease the chances that a pass'ord can be disco,ered b" a malicio&s &ser) /or more information abo&t the Mini!u! Password &en$th settin$, see 0*nderstanding Pass'ord Comple1it"0 in this doc&ment) Bn ,ersions of Windo's 7555 operating s"stems and later, "o& can change the Mini!u! Password &en$th setting in the Kro&p Polic" MMC, in the ,efault ,o!ain polic" settings at Comp&ter Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPPass'ord Polic"PMinim&m Pass'ord Length) An administrator can set the ,al&e bet'een 5 and 9= characters) Each additional character increases the total possible pass'ord perm&tations) 3o'e,er, if "o& set the ,al&e to 5, blank pass'ords are not permitted) Valid non2(ero ,al&es are bet'een 9 and 9=, 'ith a defa< ,al&e of (ero) Ma*i!u! Password A$e Oo& can &se the Ma*i!u! Password A$e setting to limit the time for 'hich a gi,en pass'ord is ,alid) This decreases the odds of being able to crack a pass'ord) /or more information, see the e1ample in the VPass'ordsW section in this doc&ment) Bn the Windo's 7555 famil" and later, the Ma*i!u! Password A$e setting is located in the Kro&p Polic" MMC, in the ,efault ,o!ain polic" at Comp&ter Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPPass'ord Polic"PMa1im&m Pass'ord Age) This setting determines the period of time Cin da"sE that a &ser can &se their pass'ord before the comp&ter re-&ires the &ser to change it) Oo& can set pass'ords to e1pire in bet'een 9 and <<< da"s, or "o& can specif" that pass'ords ne,er e1pire b" setting the n&mber of da"s to 5) Valid non2(ero ,al&es are bet'een 9 and <<<, 'ith a defa< ,al&e of =7) Mini!u! Password A$e Oo& can &se the Mini!u! Password A$e setting to pre,enting &sers from repeatedl" changing pass'ords &ntil the &ser is able to &se their original pass'ord, if "o& enforce the Password +istor" setting) When "o& &se the Mini!u! Password A$e setting, "o& pre,ent the circ&m,ention of pass'ord e1piration and help to ass&re &ni-&e pass'ords) The Mini!u! Password A$e setting determines the period of time Cin da"sE that a pass'ord m&st be &sed before the &ser can change it) Oo& can set the ,al&e to bet'een 9 and <<< da"s, or allo' immediate changes b" setting the n&mber of da"s to 5) Config&re the Mini!u! Password A$e setting to be a n&mber that is larger than 5 if "o& 'ant the =nforce Password +istor" setting to be effecti,e) Bf "o& do not set a minim&m pass'ord age, &sers can repeatedl" c"cle thro&gh pass'ords &ntil the" are able to &se an old fa,orite pass'ord) This co&ld allo' &sers to circ&m,ent established pass'ord polic") The Mini!u! Password A$e setting is located in the Kro&p Polic" MMC, in Comp&ter Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPPass'ord Polic") Valid non2(ero ,al&es are bet'een 9 and <<<, 'ith a defa< ,al&e of one for domain controllers and (ero for other comp&ters) Account &oc#out Settin$s Oo& can set the Acco&nt Locko&t settings in the Acti,e Director" *sers and Comp&ters MMC b" &sing the proced&re in this section) Note The ,al&e that "o& set for &oc#out,uration cannot be a ,al&e that is less than 7/erservationWindow) 1. Click Start, click Settin$s, click 'ontrol Panel, do&ble2click Ad!inistrative Tools, and then do&ble2click Active ,irector" )sers and 'o!(uters) 2. Bn the console tree, right2click the domain on 'hich "o& 'ant to set a Kro&p Polic" ob.ect) 3. Click Pro(erties, and then click the <rou( Polic" tab) 4. Bn <rou( Polic" 7/4ect &in#s, click ,efault ,o!ain Polic" or create and name "o&r Kro&p Polic" ob.ect, and then click =dit) 5. Bn the console tree, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click Account Policies, and then click Account &oc#out Polic") 6. Bn the details pane, right2click the polic" setting that "o& 'ant, and then click Pro(erties) 7. Bf "o& are defining this polic" setting for the first time, click ,efine this (olic" settin$) 8. Click the options that "o& 'ant, and then click 7:) 7/servationWindow The 7/servationWindow setting Calso kno'n in Kro&p Polic" as the 0eset account loc#out counter after settingE is the n&mber of min&tes after 'hich an acco&ntIs /adPwd'ount registr" ,al&e is reset) Oo& can &se the 7/servationWindow setting to help mitigate locko&t iss&es that are initiated b" &sers) When "o& enable this setting, the bad pass'ord attempt is remo,ed from the ser,er after a period of time) Valid non2(ero ,al&es are bet'een 9 and <<<<<, 'ith a defa< ,al&e of 85) &oc#out,uration The &oc#out,uration setting Calso kno'n in Kro&p Polic" as the Account loc#out duration settingE is the amo&nt of time, in min&tes, that acco&nt locko&t is enforced on an acco&nt that has e1ceeded the &oc#out,uration registr" ,al&e, meas&red from the time of locko&t) Bf "o& set the &oc#out,uration registr" ,al&e to 5, the acco&nt is permanentl" locked o&t &ntil either an administrator or a &ser 'ho has a delegated acco&nt resets the acco&nt) Bf the administrator or a delegated &ser acco&nt does not &nlock the acco&nt, the operating s"stem &nlocks the acco&nt after the n&mber of min&tes that "o& set in the &oc#out,uration registr" ,al&e) Fon2(ero ,al&es for the &oc#out,uration registr" ,al&e red&ce the administrati,e o,erhead of &nlocking acco&nts b" ha,ing them &nlocked a&tomaticall"+ ho'e,er, non2(ero ,al&es do not pro,ide the added sec&rit" of &ser ,alidation before the acco&nt is restored) Valid non2(ero ,al&es are bet'een 9 and <<<<<, 'ith a defa< ,al&e of 85) &oc#outThreshold The &oc#outThreshold setting Calso kno'n in Kro&p Polic" as the Account loc#out threshold settingE is the n&mber of times that the &ser, comp&ter, ser,ice, or program can send a bad pass'ord d&ring logon a&thentication before the acco&nt is locked o&t) Acco&nt locko&t occ&rs 'hen the /adPwd'ount registr" ,al&e is e-&al to or e1ceeds the &oc#outThreshold ,al&e) Oo& can ad.&st the &oc#outThreshold ,al&e to pre,ent both br&te force and dictionar" attacks, b&t "o& can set the ,al&e too lo' to capt&re &ser error and other non2attack errors) Administrators often set this ,al&e too lo' C8 thro&gh @E, 'hich ca&ses a large n&mber of acco&nt locko&ts beca&se of &ser error, program caching b" ser,ice acco&nts, or iss&es 'ith net'orking clients) Bf "o& set the &oc#outThreshold ,al&e to 5, no acco&nt locko&ts occ&r on the domain) Valid non2(ero ,al&es are bet'een 9 and <<<, 'ith a defa< ,al&e of (ero) Account &oc#out -alues Acco&nt locko&t registr" ,al&es are described in this section) These ,al&es store the information that "o& need to track acco&nt locko&t information) Note These ,al&es are maintained b" the operating s"stem, so "o& sho&ld not man&all" modif" them) /adPasswordTi!e The /adPasswordTi!e ,al&e stores the last time that the &ser, comp&ter, or ser,ice acco&nt s&bmitted a pass'ord that did not match the pass'ord on the a&thenticating domain controller This propert" is stored locall" on each domain controller that is in the domain) A ,al&e of 5 means that the last incorrect pass'ord time is &nkno'n) /or an acc&rate ,al&e for the &serAs last incorrect pass'ord time in the domain, "o& m&st -&er" each domain controller that is in the domain+ the largest one is the acc&rate ,al&e) /or more information, see the 0Locko&t#tat&s)e1e0 section in this doc&ment) Note The /adPasswordTi!e registr" ,al&e is not replicated bet'een domain controllers) This attrib&te, ho'e,er, is reported to the PDC operations master) /adPwd'ount The /adPwd'ount ,al&e stores the n&mber of times that the &ser, comp&ter, or ser,ice acco&nt tried to log on to the acco&nt b" &sing an incorrect pass'ord) This ,al&e is maintained separatel" on each domain controller in the domain, e1cept for the PDC operations master of the acco&nts domain that maintains the total n&mber of incorrect pass'ord attempts) A ,al&e of 5 indicates that the ,al&e is &nkno'n) /or an acc&rate total of the &serAs incorrect pass'ord attempts in the domain, "o& m&st -&er" each domain controller and &se the s&m of the ,al&es) /or more information, see the 0Locko&t#tat&s)e1e0 section in this doc&ment) Note The /adPwd'ount registr" ,al&e is not replicated bet'een domain controllers) This registr" ,al&e, ho'e,er, is reported to the PDC operations master) ntPwd+istor" The ntPwd+istor" registr" ,al&e contains the pass'ord histor" for the &ser in Windo's FT #er,er =)5 one2'a" f&nction C%W/E) !oth Windo's 7555 and the Windo's #er,er 7558 famil" &se the Windo's FT #er,er =)5 %W/) This propert" is &sed b" onl" the operating s"stem) Fote that "o& cannot obtain the pass'ord from the pass'ord in %W/ form) 7ther Settin$s That Affect Account &oc#out This section describes another setting that affect acco&nt locko&t beha,ior) While the setting is foc&sed on a&thentication, it is closel" tied 'ith acco&nt locko&t polic") Oo& can set the a&thentication settings in the Acti,e Director" *sers and Comp&ters MMC b" &sing the proced&re in this section) 1. Click Start, click Settin$s, click 'ontrol Panel, do&ble2click Ad!inistrative Tools, and then do&ble2click Active ,irector" )sers and 'o!(uters) 2. Bn the console tree, right2click the domain on 'hich "o& 'ant to set a Kro&p Polic" ob.ect) 3. Click Pro(erties, and then click the <rou( Polic" tab) 4. Bn <rou( Polic" 7/4ect &in#s, click ,efault ,o!ain Polic" or create and name "o&r Kro&p Polic" ob.ect, and then click =dit) 5. Bn the console tree, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click &ocal Policies, and then click Securit" 7(tions) 6. Bn the details pane, right2click the polic" setting that "o& 'ant, and then click Pro(erties) 7. Bf "o& are defining this polic" setting for the first time, click ,efine this (olic" settin$) 8. Click the options that "o& 'ant, and then click 7:) orce)nloc#&o$on The orce)nloc#&o$on setting Calso kno'n as VBnteracti,e logon6 Re-&ire Domain Controller a&thentication to &nlock 'orkstationW controls the beha,ior of a comp&ter r&nning Windo's 7555, Windo's HP or the Windo's #er,er 7558 famil" 'hen the comp&ter is &nlocked b" a &ser) With a ,al&e of 9 Cor =na/led, in Kro&p Polic"E, &nlocking the comp&ter also performs a s"nchrono&s logon to the domain to ,erif" &ser a&thenticit") This option is slo'er than allo'ing cached a&thentication beca&se it re-&ires net'ork2based a&thentication) With a ,al&e of 5 Cor ,isa/led, in Kro&p Polic"E, cached information is &sed to ,erif" the &serIs identit") When the ,erification is s&ccessf&l, the &ser is logged on) Windo's then performs an as"nchrono&s logon to the domain in the backgro&nd) This means that the &ser can still &nlock a comp&ter 'hen the acco&nt is &nlocked) Valid ,al&es are 5 and 9, 'ith a defa< ,al&e of 5) /or additional information abo&t &nlocking a 'orkstation, see the follo'ing articles6 0Bnformation Abo&t *nlocking a Workstation0 in the Microsoft Gno'ledge !aseL http6MMs&pport)microsoft)comMNid;7>97@5) 0#creensa,er Pass'ord Works E,en Bf Acco&nt Bs Locked %&t0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;9>>?55) 0e(lication and Account &oc#out Acco&nt locko&t relies on the replication of locko&t information bet'een domain controllers to ens&re that all domain controllers are notified of an acco&ntIs stat&s) Bn addition, pass'ord changes m&st be comm&nicated to all domain controllers to ens&re that a &serIs ne' pass'ord is not considered incorrect) This data replication is accomplished b" the ,ario&s replication feat&res of Acti,e Director" and is also disc&ssed in this section) %!!ediate 0e(lication When "o& change a pass'ord, it is sent o,er FetlogonAs sec&re channel to the PDC operations master) #pecificall", the domain controller makes a remote proced&re call CRPCE to the PDC operations master that incl&des the &ser name and ne' pass'ord information) The PDC operations master then locall" stores this ,al&e) Bmmediate replication bet'een Windo's 7555 domain controllers is ca&sed b" the follo'ing e,ents6 Locko&t of an acco&nt Modification of a Local #ec&rit" A&thorit" CL#AE secret #tate changes of the Relati,e BD CRBDE Manager )r$ent 0e(lication Acti,e Director" replication occ&rs bet'een domain controllers 'hen director" data is &pdated on one domain controller and that &pdate is replicated to all other domain controllers) When a change in director" data occ&rs, the so&rce domain controller sends o&t a notice that its director" store no' contains &pdated data) The domain controllerAs replication partners then send a re-&est to the so&rce domain controller to recei,e those &pdates) T"picall", the so&rce domain controller sends o&t a change notification after a dela") This dela" is go,erned b" a notification dela") CThe Windo's 7555 defa< notification dela" is @ min&tes+ the Windo's #er,er 7558 defa< notification dela" is 9@ seconds)E 3o'e,er, an" dela" in replication can res< in a sec&rit" risk for certain t"pes of changes) *rgent replication ens&res that critical director" changes are immediatel" replicated, incl&ding acco&nt locko&ts, changes in the acco&nt locko&t polic", changes in the domain pass'ord polic", and changes to the pass'ord on a domain controller acco&nt) With &rgent replication, an &pdate notification is sent o&t immediatel", regardless of the notification dela") This design allo's other domain controllers to immediatel" re-&est and recei,e the critical &pdates) Fote, ho'e,er, that the onl" difference bet'een &rgent replication and t"pical replication is the lack of a dela" before the transmission of the change notification) Bf this does not occ&r, &rgent replication is identical to standard replication) When replication partners re-&est and s&bse-&entl" recei,e the &rgent changes, the" recei,e, in addition, all pending director" &pdates from the so&rce domain controller, and not onl" the &rgent &pdates) When either an administrator or a delegated &ser &nlocks an acco&nt, man&all" sets pass'ord e1piration on a &ser acco&nt b" clicking )ser Must 'han$e Password At Ne*t &o$on, or resets the pass'ord on an acco&nt, the modified attrib&tes are immediatel" replicated to the PDC em&lator operations master, and then the" are &rgentl" replicated to other domain controllers that are in the same site as the PDC em&lator) !" defa<, &rgent replication does not occ&r across site bo&ndaries) !eca&se of this, administrators sho&ld make man&al pass'ord changes and acco&nt resets on a domain controller that is in that &serAs site) The follo'ing e,ents are not &rgent replications in Windo's 7555 domains6 Changing the acco&nt locko&t polic" Changing the domain pass'ord polic" Changing the pass'ord on a comp&ter acco&nt Domain tr&st pass'ords /or additional information abo&t &rgent and immediate replication, see 0*rgent Replication Triggers in Windo's 75550 in the Microsoft Gno'ledge !ase L http6MMs&pport)microsoft)comMdefa<)asp1Nscid;kb+en2&s+7874<5) Sin$le )ser 7/4ect 57n ,e!and6 0e(lication Bn the Windo's 7555 famil", 'hen an administrator resets and immediatel" e1pires a &serAs pass'ord on a domain controller in site A Cso that the &ser is gi,en a ne' pass'ord b&t forced to change it 'hen the &ser first logs onE, the logon ma" still s&cceed 'hen the &ser logs on 'ith that ne' pass'ord in site !) This occ&rs beca&se the domain controller chains to the PDC operations master d&ring a&thentication) 3o'e,er, the &serIs pass'ord change ma" not replicate correctl" beca&se domain controllers in site ! do not "et ha,e the reset pass'ord) This occ&rs beca&se there is replication latenc" bet'een sites) An &pdate is a,ailable for Windo's 7555 that changes this beha,ior) /or more information to help change this beha,ior b" implementing an 0on2demand0 replication scheme, see 0Oo& Cannot Change Oo&r Pass'ord After an Administrator Resets Bt0 on the Microsoft Gno'ledge !aseL http6MMs&pport)microsoft)comMNid;>97=<<) The &pdated replication scheme allo's the domain controller to contact the PDC operations master to re-&est an &pdate of the &ser ob.ect that failed a&thentication beca&se of an incorrect pass'ord) This helps to ens&re that the a&thenticating domain controller recei,es the most c&rrent &ser acco&nt information as -&ickl" as possible) Mi*ed =nviron!ents with Windows NT Server 4.0 and Active ,irector" ,o!ain 'ontrollers Bf ser,ers that are r&nning Windo's FT #er,er =)5 and earlier are in the domain, acco&nt locko&t is not a dependable sec&rit" feat&re) /or e1ample, a Windo's FT #er,er =)5, Enterprise Edition, back&p domain controller C!DCE ma" a&thenticate a &ser, e,en tho&gh the acco&nt is marked as locked o&t on a domain controller that is r&nning Windo's FT #er,er =)5 and earlier) Also, Windo's FT #er,er =)5, Enterprise Edition, !DCs cannot &nlock an acco&nt) The ser,er that is r&nning Windo's FT #er,er =)5, Enterprise Edition, can increment the bad pass'ord co&nt 'hen the &ser logs in 'ith an incorrect pass'ord) That ser,er can then report the increment to the other domain controller) 3o'e,er, the Windo's FT #er,er =)5, Enterprise Edition, !DC does not send this information to the domain controller that is r&nning Windo's FT #er,er =)5 and earlier if the &ser logs on 'ith the correct pass'ord) !eca&se of this, the bad pass'ord co&nt is not reset after the s&ccessf&l logon attempt) The acco&nt locko&t feat&re of Microsoft LAF Manager is not compatible 'ith the acco&nt locko&t feat&re on comp&ters that are r&nning Windo's FT #er,er =)5 and earlier) The domain controller that is r&nning Windo's FT #er,er =)5 and earlier does not replicate an" acco&nt locko&t information to a LAF Manager !DC) Bf the acco&nt is marked as locked o&t on the Windo's FT #er,er =)5 and earlier domain controller, the LAF Manager !DC ma" still ,alidate the &ser) The LAF Manager !DC displa"s the acco&nt locko&t polic" as set to 0Fe,er,0 e,en in a domain r&nning Windo's FT #er,er =)5 and earlier 'here acco&nt locko&t is enabled) /or these reasons, "o& sho&ld consider ens&ring that all domain controllers in "o&r net'ork are r&nning Windo's 7555 or the Windo's #er,er 7558 famil") This is the onl" 'a" to ens&re that acco&nt locko&t is enforced consistentl" across "o&r net'ork) Maintainin$ and Monitorin$ Account &oc#out After "o& config&re the acco&nt locko&t options that "o& 'ant, set &p the comp&ters so that "o& can capt&re more data abo&t the acco&nts that are being locked o&t) This section describes ho' to enable a&diting, Fetlogon logging, and Gerberos logging, as 'ell as 'hich comp&ters to retrie,e the logs from) After "o& config&re the logging and capt&re the appropriate data, this section 'ill sho' "o& ho' to anal"(e the information so that "o& can ens&re acco&nt locko&t settings are 'orking and identif" attacks) =na/le Auditin$ at the ,o!ain &evel The follo'ing sections describe ho' to enable a&diting at the domain le,el for different operating s"stems) To effecti,el" tro&bleshoot acco&nt locko&t, enable a&diting at the domain le,el for the follo'ing e,ents6 Acco&nt Logon E,ents X /ail&re Acco&nt Management X #&ccess Logon E,ents X /ail&re Windows 2000 and Windows Server 2003 ,o!ains The A&dit Polic" settings are located in the Defa< Domain polic" settings) To ,ie' the A&diting polic" settings, in the Kro&p Polic" MMC, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click &ocal Policies, and then do&ble2click Audit Polic") Enable a&diting for the e,ent t"pes listed in the pre,io&s section) Windows NT Server 4.0 ,o!ain %pen *ser Manager, click Policies, click Auditin$, enable &o$on and &o$off a&diting for fail&re e,ents, and then enable *ser and Kro&p Management a&diting for s&ccess e,ents) Settin$s for =vent &o$s /or tro&bleshooting p&rposes, change some of the settings for the #ec&rit" e,ent logs6 #et the ma1im&m sec&rit" log si(e to 95,555 G! or more) This helps to ens&re that important e,ents are not o,er'ritten 'hen the log file becomes large in si(e) #et the e,ent retention method to 7verwrite events as needed to ens&re that the comp&ter is not sh&t do'n beca&se there are too man" #ec&rit" e,ent log entries, e,en 'hen the log file becomes large in si(e) /or information abo&t ho' to change the si(e and retention method of the #ec&rit" e,ent log , see the 3elp doc&mentation for the operating s"stem 'ith 'hich "o& are 'orking) !eca&se the e,ents can occ&r on both the client and the ser,er, "o& can &se the follo'ing tools to help "o& gather the information in a single location) *se the E,entCombMT)e1e tool, a m<ithreaded tool, to gather specific e,ents from e,ent logs from se,eral different comp&ters to one central location and then search those e,ent logs for specific data of interest) #ome specific search categories are b&ilt into the tool, s&ch as acco&nt locko&ts, 'hich is alread" config&red to incl&de e,ents @7<, 4==, 4?@, 4?4, and 4>9) /or more information, see the 3elp file that is incl&ded 'ith the tool) *se the E,entlog)pl tool to help "o& manage e,ent logs in Windo's 7555) Oo& can &se this tool to change the properties of e,ent logs, back &p e,ent logs, e1port e,ent lists to te1t file, clear e,ent logs, and -&er" the properties of the e,ent logs) /or more information, see 03%W T%6 *se the E,ent Log Management #cript Tool CE,entlog)plE to Manage E,ent Logs in Windo's 75550 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;89>?48) Netlo$on &o$$in$ Oo& can &se Fetlogon logging to capt&re Fetlogon and FTLM e,ents) Bt is recommended that "o& config&re Fetlogon logging in a Windo's 7555 domain that has Windo's 7555 clients) Oo& m&st config&re Fetlogon logging on the primar" domain controller CPDCE and on an" other domain controllers that are in,ol,ed in &ser a&thentication) To determine the a&thenticating domain controller, at a command prompt, t"pe set l or &se the Locko&t#tat&s)e1e tool) /or more information abo&t the Locko&t#tat&s)e1e tool, see the 0Acco&nt Locko&t Tools0 section in this doc&ment) /or enterprises that ha,e less then 95 domain controllers, "o& sho&ld enable Fetlogon logging on all domain controllers for each domain) =na/lin$ Netlo$on &o$$in$ on 'o!(uters 0unnin$ Windows 2000 Server To enable Fetlogon logging on comp&ters that are r&nning Windo's 7555 #er,er, at a command prompt, t"pe nltest ?d/fla$@20A0ffff) The log file is created in SystemrootPDeb&gPFetlogon)log) Bf the log file is not in that location, stop and restart the Fetlogon ser,ice on that comp&ter) To do this, at a command prompt, t"pe net sto( netlo$on B net start netlo$on) /or more information, see 0Enabling Deb&g Logging for the Fetlogon #er,ice0 on the Microsoft Gno'ledge !aseL http6MMs&pport)microsoft)comMNid;95<474) Bf free disk space is lo', make s&re there is eno&gh space to allo' the =5 megab"tes CM!E ma1im&m space for the logging) Oo& sho&ld also consider the disk space that Fetlogon logging &ses) When Fetlogon)log reaches 75 M! in si(e, it is renamed to Fetlogon)bak and a ne' Fetlogon)log is created 'ith the latest Fetlogon data) After that Fetlogon)log reaches 75 M! in si(e, Fetlogon)bak is tr&ncated, and the c&rrent Fetlogon)log file is renamed to Fetlogon)bak) !eca&se of this process, the total disk space that is &sed b" Fetlogon logging is ne,er more than =5 M!) Note Performance ma" be slightl" degraded b" the logging process) Therefore, "o& sho&ld disable Fetlogon logging after "o& ha,e capt&red the e,ents that "o& 'ant in the log file) To disable Fetlogon logging, at a command prompt, t"pe nltest ?d/fla$@0, press EFTER, t"pe net start netlo$on and then press EFTER) :er/eros &o$$in$ Bf acco&nt locko&ts in,ol,e Gerberos clients that are r&nning a member of the Windo's 7555 famil" or later, "o& can enable Gerberos logging on those client comp&ters) Oo& 'o&ld t"picall" perform this step after "o& ha,e determined that there is an a&thentication iss&e that is related to Gerberos) To enable Gerberos e,ent logging on a comp&ter6 1. Click Start, click 0un, t"pe re$edit, and then press EFTER) 2. Add the +:=;C&7'A&CMA'+%N=DS;ST=MD'urrent'ontrolSetD'ontrolD&saD:er/erosDPara!eter s registr" ,al&e to the registr" ke"6 0e$istr" value@ &o$&evel -alue t"(e@ 0=<C,W70, -alue data@ 0*. Bf the Para!eters registr" ke" does not e1ist, create it) 3. Close Registr" Editor and restart the comp&ter) 'aution Bncorrectl" editing the registr" ma" se,erel" damage "o&r s"stem) !efore making changes to the registr", "o& sho&ld back &p an" ,al&ed data on the comp&ter) Note Performance ma" be degraded b" the logging process) Therefore, "o& sho&ld disable the logging process after "o& capt&re the e,ents that "o& 'ant in the log file) To disable logging, remo,e the &o$&evel registr" ,al&e, and then restart the comp&ter) Oo& can a&tomate this process b" &sing the script that is in the 0Acco&nt Locko&t Tools0 section in this doc&ment) This script sets the Gerberos logging ke" in the registr" on client comp&ters that are r&nning Windo's 7555) Bf "o& 'ant to enable logging for gro&ps of comp&ters, "o& can specif" this script as a start&p script in an Acti,e Director" gro&p polic") To disable Gerberos e,ent logging on a comp&ter6 1. Click Start, click 0un, t"pe re$edit, and then press EFTER) 2. Delete the +:=;C&7'A&CMA'+%N=DS;ST=MD'urrent'ontrolSetD'ontrolD&saD:er/erosDPara!eter sD&o$&evel registr" ,al&e) 3. Close Registr" Editor and restart the comp&ter) 'aution Bncorrectl" editing the registr" ma" se,erel" damage "o&r s"stem) !efore making changes to the registr", "o& sho&ld back &p an" ,al&ed data on the comp&ter) /or more information, see the 03%W T%6 Enable Gerberos E,ent Logging0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7479??) =vent and Netlo$on &o$ 0etrieval After "o& set the a&diting and logging, 'ait &ntil acco&nt locko&ts occ&r) When the acco&nt locko&t occ&rs, retrie,e both the #ec&rit" e,ent log and the #"stem e,ent log, as 'ell as the Fetlogon logs for all of the comp&ters that are in,ol,ed 'ith the clientAs locko&t) This incl&des the PDC em&lator operations master, the a&thenticating domain controller, and all of the client comp&ters that ha,e &ser sessions for the locked2o&t &ser) To determine the domain controllers that are in,ol,ed 'ith the locko&t, r&n the Locko&t#tat&s)e1e tool and specif" the &ser acco&nt that is locked o&t) This tool gathers and displa"s information abo&t the specified &ser acco&nt from all the domain controllers in the domain) Bn addition, the tool displa"s the &serAs /adPwd'ount ,al&e on each domain controller) The domain controllers that ha,e a /adPwd'ount ,al&e that reflects the bad pass'ord threshold setting for the domain are the domain controllers that are in,ol,ed in the locko&t) These domain controllers al'a"s incl&de the PDC em&lator operations master) The /adPwd'ount ,al&e ma" appear to be higher than the threshold beca&se of the 'a" that pass'ords are chained to the PDC em&lator operations master) When a bad pass'ord is presented b" a &ser or program, both the a&thenticating domain controller and the PDC em&lator operations master increment their /adPwd'ount ,al&e for that acco&nt) When Acti,e Director" replication occ&rs, this can res< in an increased ,al&e) 3o'e,er, the end res<Ythe acco&nt becoming locked o&tYremains the same) Oo& can also &se the E,entCombMT)e1e tool to gather specific e,ent log data from m<iple comp&ters to one central location) /or more information abo&t both the E,entCombMT)e1e and Locko&t#tat&s)e1e tools, see the 0Acco&nt Locko&t Tools0 section in this doc&ment) Anal"8in$ &o$ ile %nfor!ation The pre,io&s section described the processes that "o& can &se to enable log files to record information that is locko&t2specific on "o&r comp&ters) This section foc&ses on anal"(ing those log files and determining 'hat beha,ior occ&rred that created the log files and ca&sed the iss&e that "o& are tr"ing to resol,e) This section also describes ho' to resol,e the iss&es that "o& find 'hen "o& anal"(e the log files) Anal"8in$ Netlo$on &o$ iles !efore "o& start to anal"(e the Fetlogon log files, "o& sho&ld be familiar 'ith the a&thentication process 'orks from pre,io&s sections in this paper) Altho&gh this section describes an FTLM a&thentication process, a similar chain of e,ents occ&rs d&ring Gerberos a&thentication) The follo'ing sample scenario disc&sses 'hat occ&rs 'hen a &ser 'ho is on a client comp&ter tries to gain accesses to a reso&rce that is on a file ser,er in the same domain as the &ser acco&nt) Bn this process6 1. *ser credentials are passed to the file ser,er) This is displa"ed in the VFet'ork LogonW section in the Fetlogon)log file) 2. The file ser,er tries to a&thenticate the &ser, b&t the file ser,er has to for'ard the credentials to the a&thenticating domain controller for ,alidation beca&se this acco&nt is a domain &ser acco&nt) This beha,ior is displa"ed as VTransiti,e Fet'ork logonW in the Fetlogon)log file and is commonl" referred to as pass2thro&gh a&thentication) 3. Bf the pass'ord is incorrect or if it is not the same as the pass'ord that is stored b" the a&thenticating domain controller, the a&thenticating domain controller chains the credentials to the PDC for ,alidation) This is displa"ed as VTransiti,e Fet'ork LogonW in the Fetlogon)log file) Netlo$on &o$ ile Wal#throu$h The follo'ing sections pro,ide a sample Fetlogon)log file o&tp&t from the follo'ing three comp&ters6 The PDC operations master for the domain6 DC557 The a&thenticating domain controller6 DC558 The member ser,er6 MEM#ERVER59 The sample o&tp&t sections sho' the follo'ing participants in,ol,ed in net'ork a&thentication6 Domain name6 Tailspinto"s Logon &ser name6 *ser9 Logon comp&ter name6 Comp&ter2554 Transitive Networ# &o$on 1Pass2Throu$h Authentication3 #ample from the DC557 PDC em&lator Fetlogon log file6 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C00000"' 29-Mar 14:28:31 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C0000234 #ample from the DC558 a&thentication domain controller Fetlogon log file6 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via M(M)(*+(*01% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via M(M)(*+(*01% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via M(M)(*+(*01% 0&C00000"' 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via M(M)(*+(*01% 0&C00000"' 29-Mar 14:28:31 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via M(M)(*+(*01% 0&C00000"' 29-Mar 14:28:31 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via M(M)(*+(*01% 0&C0000234 #ample from the MEM#ERVER59 member ser,er Fetlogon log file6 29-Mar 14:28:31 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"' 29-Mar 14:28:31 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"' 29-Mar 14:28:32 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"' 29-Mar 14:28:32 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"' 29-Mar 14:28:32 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"' 29-Mar 14:28:32 Network logon Tailspintoys\User1 Cop!ter-00" 0&C0000234 These Fetlogon)log file samples pro,ide an e1ample of the information contained in the Fetlogon logs) This information is &sed to trace the acco&nt locko&t from the domain controller back to the member ser,er on 'hich a &ser or application tried to gain access 'ith the incorrect credentials) Ste((in$ Throu$h the Netlo$on &o$ ile Sa!(le This section describes the standard anal"sis process of log files 'hen attempting to determine the ca&se of an acco&nt locko&t iss&e) Bn most tro&bleshooting scenarios, "o& sho&ld begin "o&r log file anal"sis b" e1amining the Fetlogon)log file on the PDC operations master) !eca&se this is a transiti,e net'ork logon, "o& can find the a&thenticating domain controller b" ,ie'ing the 0Via0 line in the Fetlogon)log file for the domain controller that is chaining logon to the PDC operations master) Sa!(le fro! the P,' =!ulator 1,'0023 Netlo$on &o$ ile %n the 0Via0 line from the PDCIs Fetlogon)log file in the follo'ing e1ample, note that the a&thentication is being chained from DC558) 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter00" #via $C003% 0&C00000"' This is an ill&stration of step 8 of the a&thentication process that 'as detailed in 0Anal"(ing Fetlogon Log /iles0 pre,io&sl" in this doc&ment) Sa!(le fro! the Authentication ,o!ain 'ontroller 1,'0033 Netlo$on &o$ ile Bn the Fetlogon log file on DC558, this a&thentication is still a transiti,e net'ork logon, beca&se credentials 'ere sent to DC558 for ,erification) !eca&se of this, note 'here the credentials are sent from) Bn this e1ample, the credentials are being sent V,ia MEM#ERVER5906 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter00" #via M(M)(*+(*01% 0&C00000"' This is an ill&stration of step 7 of the a&thentication process that 'as detailed in 0Anal"(ing Fetlogon Log /iles0 pre,io&sl" in this doc&ment) The file ser,er tries to a&thenticate the &ser, b&t the file ser,er has to for'ard the credentials to the a&thenticating domain controller for ,alidation beca&se this is a domain &ser acco&nt) This is displa"ed as VTransiti,e Fet'ork logonW in the /ile#er,ername section of the Fetlogon)log file) Sa!(le fro! the Me!/er Server 1M=MS=0-=00.3 Netlo$on &o$ ile /rom the Fetlogon)log file on MEM#ERVER59 from the same time period, ,erif" the act&al client comp&ter name 'here the original logon or session set&p re-&est came from) Bn this e1ample, the re-&est came from Comp&ter25546 29-Mar 14:28:31 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"' This is an ill&stration of step 9 of the a&thentication process that 'as detailed in 0Anal"(ing Fetlogon Log /iles0 pre,io&sl" in this doc&ment) *ser credentials are passed to the file ser,er) This is displa"ed in the VFet'ork LogonW section in the Fetlogon)log file) E,en tho&gh the log file does not displa" the e1act process that is sending the incorrect credentials, Fetlogon log files do pro,ide the follo'ing information to help "o& tro&bleshoot the locko&t6 Fetlogon o&tp&t displa"s the n&mber of &ns&ccessf&l logon attempts C51C555554AE for a &serAs acco&nt in a certain time period) Logs in 'hich there are se,eral 51C555554A e,ents in one second indicate that the locko&t is most likel" ca&sed b" a process, program, or script that is sending incorrect credentials) Fetlogon o&tp&t pro,ides a complete pict&re of all comp&ters that are in,ol,ed in the acco&nt locko&t) Oo& can narro' do'n the c&lprit b" determining the common elements, s&ch as programs, among the comp&ters in,ol,ed) /or e1ample, from the Fetlogon o&tp&t abo,e, after "o& determined that MEM#ERVER59 'as common to all &ser locko&ts, the tro&bleshooting foc&s changed to the partic&lar net'ork ser,ices or &ser acco&nts that are &sed b" MEM#ERVER59) Bn this e1ample, MEM#ERVER59 is the Microsoft E1change ser,er) After "o& e1amine the Microsoft %&tlook client and E1change ser,er settings, "o& ma" 'ant to &se the information that is in the follo'ing t'o articles to help resol,e the iss&e) These articles describe ho' to remo,e &nnecessar" RPC bindings from the E1change ser,er) /or e1ample, remo,e Famed Pipe s&pport if there is no client that re-&ires the named pipes) 0%&tlook Locks Oo&r Acco&nt !eca&se of a Director" #er,ice Referral 'ith E1change 7555 #er,er0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7<9@<>) 0*ne1pected Acco&nt Locko&ts Ca&sed When Logging %n to %&tlook from an *ntr&sted Domain0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7?4@=9) Bf the Fetlogon logs from all domain controllers from the time of locko&t b&t do not displa" data that pertains to an" of the locked2o&t &ser acco&nts that "o& are anal"(ing, then FTLM a&thentication is not in,ol,ed in the locko&ts) This normall" indicates that the a&thentication iss&es are bet'een comp&ters r&nning Windo's 7555 or later, beca&se earlier ,ersions of Windo's &sed FTLM a&thentication e1cl&si,el") Oo& sho&ld foc&s on Gerberos a&thentication tro&bleshooting b" &sing Gerberos logging and e1amining the #ec&rit" e,ent logs) Netlo$on &o$ ile =rror 'odes Each e,ent in the Fetlogon log contains a corresponding error code) The follo'ing table describes these error codes) Ta/le 3 Netlo$on &o$ =rror 'odes &o$ 'ode ,escri(tion 515 #&ccessf&l login 51C555554= The specified &ser does not e1ist 51C555554A The ,al&e pro,ided as the c&rrent pass'ord is not correct 51C555554C Pass'ord polic" not met 51C555554D The attempted logon is in,alid d&e to a bad &ser name 51C555554E *ser acco&nt restriction has pre,ented s&ccessf&l login 51C555554/ The &ser acco&nt has time restrictions and ma" not be logged onto at this time 51C55555?5 The &ser is restricted and ma" not log on from the so&rce 'orkstation 51C55555?9 The &ser acco&ntAs pass'ord has e1pired 51C55555?7 The &ser acco&nt is c&rrentl" disabled 51C55555<A Bns&fficient s"stem reso&rces 51C55559<8 The &serAs acco&nt has e1pired 51C555577= *ser m&st change his pass'ord before he logs on the first time 51C555578= The &ser acco&nt has been a&tomaticall" locked Note Man" of these codes pro,ide information in the log file that is red&ndant 'ith the corresponding Fetlogon e,ent log) This allo's "o& to anal"(e the e,ents in a ,ariet" of 'a"s) re9uentl" As#ed Euestions This section ans'ers common -&estions that might be helpf&l in tro&bleshooting the Acco&nt Locko&t feat&re in the Windo's #er,er 7558 famil") Do the logon attempts happen seconds apart or are there man" in,alid logon attempt e,ents Cerror code 51C555554AE in the same secondN The pattern sho's 'hether this is a &ser error or a process or program that is creating the locko&t) *sers take se,eral seconds bet'een e,ents, ho'e,er, a process or program t"picall" register man" in,alid or &ns&ccessf&l logon attempt e,ents in one second) Note Oo& can &se the FLParse)e1e tool to parse Fetlogon logs for specific e,ents that are related to acco&nt locko&t, s&ch as e,ents 51C555554A and 51C555578=) The parsed data is sent to a )cs, file that "o& can read b" &sing a program like Microsoft E1cel) /or more information abo&t FLParse, see the 0Acco&nt Locko&t Tools0 section in this doc&ment) /rom 'hich comp&ters are the in,alid logon attempt e,ents generatedN When "o& re,ie' the Fetlogon logs and e,ent logs, "o& can isolate from 'hich comp&ter the &ser 'as logged on d&ring the acco&nt locko&ts) Bn man" sit&ations, "o& 'ill disco,er that a &ser is logged onto m<iple comp&ters+ after the &ser changes their pass'ord on one comp&ter, the &ser acco&nt is locked o&t) What client comp&ters are displa"ed in the Fetlogon log filesN Bf onl" Windo's <> or Windo's <@ clients are locked o&t, "o& ma" need to install the director" ser,ice client for those clients) /or e1ample, belo', the Comp&ter2554 comp&ter generates the in,alid logon attempt e,ent6 29-Mar 14:28:30 Transitive Network logon ',e\User1 Cop!ter-00" #via $C003% 0&C00000"' Which &ser acco&nts are associated 'ith the in,alid logon attempt e,entsN Bf pri,ileged acco&nts Cs&ch as the administrator, ser,ice acco&nts, and 'ell2kno'n application acco&nt namesE are recei,ing a large n&mber of incorrect pass'ord attempts, first re,ie' the information for the comp&ters that ha,e made the attempts 'ith the incorrect pass'ords, and then determine if there is a 'rong pass'ord for the acco&nt) After "o& do this, if the pass'ords on all of the acco&nts are reset and incorrect pass'ord attempts persist, perform a trace to determine if the comp&ter is &nder an attack) Oo& can place an e,ent trigger to stop the trace and determine 'here the attempt ma" be coming from) Bnternal or e1ternal comp&ters can be a threat if there are 'orm ,ir&ses or compromises) The follo'ing e1ample sho's that the 51C555554A error code is generated from the Tailspinto"sP*ser9 &ser6 29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via $C003% 0&C00000"' Bs there an ob,io&s pattern to the in,alid logon attempt e,ents and acco&nt locko&tsN Pattern6 All &sers on the domain are locked o&t, incl&ding &sers 'ho did not change their pass'ord) There are man" &ns&ccessf&l a&thentication attempts per second) Possi/le Solution@ Bf "o& determine that the log files sho' that most or all of the &ser acco&nts are locked o&t in "o&r domain, "o& m&st perform a trace to determine 'hether the so&rce of the attack is internal or e1ternal to "o&r net'ork) Bf the attack appears to come from a internal comp&ter, e1amine the processes r&nning on these comp&ters as this likel" indicates a common process that &ses o&tdated or incorrect credentials) Attacks from o&tside "o&r net'ork often indicate denial of ser,ice or br&te force attacks against "o&r &ser acco&nts) Pattern6 Alphabetical list of &sers in the log files) Possi/le Solution@ Bf the log files sho' that all of the &ser acco&nts are locked o&t in a list that is almost alphabetical, it is most likel" that this beha,ior is ca&sed b" an attempt to break pass'ords or a denial of ser,ice attack) Oo& m&st perform a net'ork trace to the so&rce of the attack) Pattern6 A specific n&mber of logon attempts are made on each locked2o&t acco&nt) Possi/le Solution@ Bf "o& determine that the log files displa" a specific n&mber of logon attempts for a each &ser, add the n&mber of occ&rrences of 51C555554A and 51C555578= errors for the &ser) Bn some scenarios, "o& ma" see a pattern of a specific n&mber of attempts for one &ser, and then the same n&mber of attempts for another &ser, and so on) This beha,ior ma" be an attack on the net'ork or a program co&ld be sending a specific set of attempts) 94 or 9? attempts per &ser is a common fig&re for these t"pes of attacks) Bn most acco&nt locko&t sit&ations, "o& m&st &se Fetlogon log files to determine 'hich comp&ters are sending bad credentials) When "o& anal"(e Fetlogon log files, look for the 51C555554A e,ent code, beca&se this e,ent 'ill help "o& determine 'here the bad pass'ord attempts began to occ&r) When "o& see the 51C555554A e,ent code and it is follo'ed b" a 51C555578= e,ent code, the e,ent codes that come after these e,ent codes help "o& determine 'hat ca&sed the acco&nt locko&t) Bf "o& see patterns in the log files, the patterns can help "o& determine if the e,ent code 'as logged beca&se of either a program attack or &ser error) Anal"8in$ =vent &o$s Oo& cannot determine the a&thentication t"pe that 'as &sed 'hen an acco&nt is locked o&t &nless "o& enable Fetlogon logging before the acco&nt locko&t) 3o'e,er, beca&se of differences in a&thentication, there ma" be sit&ations in 'hich Fetlogon logging does not capt&re the data that "o& need to determine 'hich comp&ters 'ere in,ol,ed in an acco&nt locko&t) Config&ring the appropriate comp&ters to create e,ent logs ma" pro,ide additional information in these sit&ations) !efore the problems occ&r, "o& sho&ld enable sec&rit" a&diting and Gerberos logging on all comp&ters that might be in,ol,ed in the acco&nt locko&t e,ent) Enabling a&diting and Fetlogon log files is disc&ssed else'here in this doc&ment) Bf the a&diting is not config&red before the initial error occ&rs, it can be done after'ards) %nce the acco&nt locko&t occ&rs, there are se,eral tasks that sho&ld be completed to help identif" the ca&se of the iss&e6 1. %btain both the #ec&rit" and #"stem e,ent logs from all of the comp&ters that are locked o&t if those comp&ters 'ere logged on 'hen the locko&t occ&rred) Also, obtain these log files from the PDC em&lator operations master and all domain controllers that ma" be in,ol,ed in the acco&nt locko&t) 2. Look for E,ent 4?@ CPrea&thentication /ail&resE in the #ec&rit" e,ent log for the domain controllers for the locked2o&t &ser acco&nt) This e,ent displa"s the BP address of the client comp&ter from 'hich the incorrect credentials 'ere sent) When "o& ,ie' these e,ents in the #ec&rit" e,ent log from the PDC, an BP address 'ith E,ent 4?@ ma" be the BP address of another domain controller beca&se of pass'ord chaining from other domain controllers) Bf this is tr&e, obtain the #ec&rit" e,ent log from that domain controller to see the E,ent 4?@) The BP address that is listed in that E,ent 4?@ sho&ld be the BP address for the client comp&ter that sent the in,alid credential) 3. After "o& kno' 'hich client comp&ter is sending the in,alid credentials, determine the ser,ices, programs, and mapped net'ork dri,es on that comp&ter) Bf this information does not re,eal the so&rce of the acco&nt locko&t, perform net'ork traces from that client comp&ter to isolate the e1act so&rce of the locko&t) Note Oo& can &se the E,entCombMT)e1e tool to gather e,ent log dates from different domain controllers at the same time) /or more information abo&t E,entCombMT)e1e, see the VAcco&nt Locko&t ToolsW section in this doc&ment) /or more information, see the follo'ing articles6 0Windo's 7555 #ec&rit" E,ent Descriptions CPart 9 of 7E0 in the Microsoft Gno'ledge !aseL Chttp6MMs&pport)microsoft)comMNid;7<<=?@) 0Windo's 7555 #ec&rit" E,ent Descriptions CPart 7 of 7E in the Microsoft Gno'ledge !aseL http6MMs&pport)microsoft)comMNid;8594??) =*a!(le event lo$ entr"@ incorrect (assword (rocessed /" :er/eros The follo'ing e1ample displa"s a sample E,ent 4?@ in the #ec&rit" e,ent log from the PDC em&lator operations master6 (vent Type: -ail!re '!.it (vent )o!r,e: )e,!rity (vent Category: ',,o!nt /ogon (vent 0$: "12 $ate: 123232001 Tie: 2:41:2" 4M User: NT 'UT56*0T7\)7)T(M Cop!ter: C6M4UT(*-00" $es,ription: 4re-a!t8enti,ation 9aile.: User Nae: !ser1 User 0$: :;)-1-2-21-4232101219-112990"422-1"398432-1114< )ervi,e Nae: kr=tgt3Tailspintoys>,o 4re-'!t8enti,ation Type: 0&2 -ail!re Co.e: 0&18 Client '..ress: 112>1">1>82 Bn this e1ample, fail&re code 519> is listed beca&se an incorrect &ser name or pass'ord 'as &sed) The client address of 9?7)94)9)>@ identifies the net'ork client that ca&sed this fail&re) The &ser name 0&ser90 is also incl&ded in this e,ent) The client address and &ser name sho&ld pro,ide eno&gh information for "o& to begin to address the iss&e, beca&se "o& kno' 'hich &ser is attempting to logon from 'hich comp&ter) =*a!(le event lo$ entr"@ Account is loc#ed out The follo'ing e1ample displa"s a sample of E,ent 4==, 'hich indicates that the acco&nt is locked o&t6 (vent Type: )!,,ess '!.it (vent )o!r,e: )e,!rity (vent Category: ',,o!nt Manageent (vent 0$: "44 $ate: 123232001 Tie: 2:41:2" 4M User: (veryone Cop!ter: C6M4UT(*-00" $es,ription: User ',,o!nt /o,ke. 6!t: Target ',,o!nt Nae: !ser1 Target ',,o!nt 0$::;)-1-2-21-4232101219-112990"422-1"398432-1114< Caller Ma,8ine Nae:C6M4UT(*-00" Caller User Nae:U)(*1? Caller $oain:T'0/)40NT67) Caller /ogon 0$:#0&0@0&3(1% /or more information on acco&nt locko&t e,ents, see 0A&dit Acco&nt Locko&t0 on the Microsoft TechFet Web siteL http6MM''')microsoft)comMtechnetMprodtechnolM'indo'sser,er7558MproddocsMstandardM@94)asp) =*a!(le event lo$ entr"@ &o$on failure The follo'ing e1ample displa"s a sample of E,ent @7<, 'hich res<s from an &ns&ccessf&l logon attempt d&e to an in,alid &ser name or pass'ord) This e,ent is often &sef&l in identif"ing the so&rce of the locko&t6 (vent Type: -ail!re '!.it (vent )o!r,e: )e,!rity (vent Category: /ogon3/ogo99 (vent 0$: 229 $ate: 1232132001 Tie: 2:02:20 4M User: NT 'UT56*0T7\)7)T(M Cop!ter: C6M4UT(*-00" $es,ription: /ogon -ail!re: *eason: Unknown !ser nae or =a. passwor. User Nae: !ser1 $oain: Tailspintoys /ogon Type: 2 /ogon 4ro,ess: User32 '!t8enti,ation 4a,kage: Negotiate Aorkstation Nae: C6M4UT(*-00" This e,ent contains se,eral &sef&l elements) Bt identifies the name of the comp&ter that is attempting a&thentication, as 'ell as the &ser and domain name) Bt also displa"s the logon t"pe, 'hich is disc&ssed later in this section) When E,ent @7< is logged, "o& sho&ld look for patterns in the e,ent) Determine if there are se,eral @7< e,ents logged and determine if the" all occ&r in one second or if the" occ&r at specific time inter,als) Bf so, there is a process or ser,ice that is r&nning on the comp&ter that is sending incorrect credentials) Look at the VLogon ProcessW and VLogon T"peW entries in the log to determine the t"pe of process that is passing incorrect credentials and to determine ho' the process is logging on) =*a!(le event lo$ entr"@ Account %s ,isa/led When there is an attempt to logon &sing a disabled acco&nt, a specific e,ent is created in the e,ent log) This can help "o& -&ickl" identif" intr&ders, beca&se normal operations sho&ld not allo' for the &se of locked o&t acco&nts) Oo& sho&ld anal"(e and respond -&ickl" to these e,ents) (vent Type: -ail!re '!.it (vent )o!r,e: )e,!rity (vent Category: /ogon3/ogo99 (vent 0$: 231 $ate: 1232132001 Tie: 2:02:21 4M User: NT 'UT56*0T7\)7)T(M Cop!ter: C6M4UT(*-00" $es,ription: /ogon -ail!re: *eason: ',,o!nt ,!rrently .isa=le. User Nae: !ser1 $oain: T'0/)40NT67) /ogon Type: 2 /ogon 4ro,ess: User32 '!t8enti,ation 4a,kage: Negotiate :er/eros =vents &o$$ed ,urin$ an Account &oc#out %nce Gerberos logging is enabled, certain e,ents 'ill be logged 'hen an acco&nt locko&t occ&rs) These e,ents are described in this section) %ncorrect Password This e,ent is logged 'hen an incorrect pass'ord is recei,ed b" Gerberos as part of an a&thentication re-&est) (vent Type: (rror (vent )o!r,e: Ber=eros (vent Category: None (vent 0$: 4 $ate: 1232132001 Tie: 2:02:02 4M User: N3' Cop!ter: C6M4UT(*-00" $es,ription: T8e 9!n,tion /ogonUser re,eive. a Ber=eros (rror Message: on logon session T'0/)40NT67)\!ser1 Client Tie: )erver Tie: 19:2:2>0000 1232132001 #n!ll% (rror Co.e: 0&18 B$CC(**C4*('UT5C-'0/($ Client *eal: Client Nae: )erver *eal: T'0/)40NT67)>C6M )erver Nae: kr=tgt3T'0/)40NT67)>C6M Target Nae: kr=tgt3T'0/)40NT67)DT'0/)40NT67) (rror Te&t: -ile: /ine: (rror $ata is in re,or. .ata> :er/eros =vent When a )ser Account %s &oc#ed 7ut This e,ent is logged 'hen Gerberos is &sed for a&thentication and an acco&nt locko&t occ&rs) (vent Type: (rror (vent )o!r,e: Ber=eros (vent Category: None (vent 0$: 4 $ate: 1232132001 Tie: 2:02:21 4M User: N3' Cop!ter: C6M4UT(*-00" $es,ription: T8e 9!n,tion /ogonUser re,eive. a Ber=eros (rror Message: on logon session T'0/)40NT67)\!ser1 Client Tie: )erver Tie: 19:2:21>0000 1232132001 #n!ll% (rror Co.e: 0&12 B$CC(**CC/0(NTC*(+6B($ Client *eal: Client Nae: )erver *eal: T'0/)40NT67)>C6M )erver Nae: kr=tgt3T'0/)40NT67)>C6M Target Nae: kr=tgt3T'0/)40NT67)DT'0/)40NT67) (rror Te&t: -ile: /ine: (rror $ata is in re,or. .ata &o$on =vents Man" different e,ents can be created b" ,ario&s logon and logoff actions) The follo'ing table describes each logon e,ent) Ta/le 4 &o$on =vent %,s =vent %, ,escri(tion @7> A &ser s&ccessf&ll" logged on to a comp&ter) /or information abo&t the t"pe of logon, see the Logon T"pes table belo') @7< Logon fail&re) A logon attempt 'as made 'ith an &nkno'n &ser name or a kno'n &ser name 'ith a bad pass'ord) @85 Logon fail&re) A logon attempt 'as made, b&t the &ser acco&nt tried to log on o&tside of the allo'ed time) @89 Logon fail&re) A logon attempt 'as made &sing a disabled acco&nt) @87 Logon fail&re) A logon attempt 'as made &sing an e1pired acco&nt) @88 Logon fail&re) A logon attempt 'as made b" a &ser 'ho is not allo'ed to log on at this comp&ter) @8= Logon fail&re) The &ser attempted to log on 'ith a t"pe that is not allo'ed) @8@ Logon fail&re) The pass'ord for the specified acco&nt has e1pired) @84 Logon fail&re) The Fetlogon ser,ice is not acti,e) @8? Logon fail&re) The logon attempt failed for other reasons) Note@ Bn some cases, the reason for the logon fail&re ma" not be kno'n) @8> The logoff process 'as completed for a &ser) @8< Logon fail&re) The acco&nt 'as locked o&t at the time the logon attempt 'as made) @=5 A &ser s&ccessf&ll" logged on to a net'ork) @=9 Main mode Bnternet Ge" E1change CBGEE a&thentication 'as completed bet'een the local comp&ter and the listed peer identit" Cestablishing a sec&rit" associationE, or -&ick mode has established a data channel) @=7 A data channel 'as terminated) @=8 Main mode 'as terminated) Note@ This might occ&r as a res< of the time limit on the sec&rit" association e1piring, polic" changes, or peer termination) CThe defa< e1piration time for sec&rit" associations is eight ho&rs)E @== Main mode a&thentication failed beca&se the peer did not pro,ide a ,alid certificate or the signat&re 'as not ,alidated) @=@ Main mode a&thentication failed beca&se of a Gerberos fail&re or a pass'ord that is not ,alid) @=4 BGE sec&rit" association establishment failed beca&se the peer sent a proposal that is not ,alid) A packet 'as recei,ed that contained data that is not ,alid) @=? A fail&re occ&rred d&ring an BGE handshake) @=> Logon fail&re) The sec&rit" identifier C#BDE from a tr&sted domain does not match the acco&nt domain #BD of the client) @=< Logon fail&re) All #BDs that correspond to &ntr&sted namespaces 'ere filtered o&t d&ring an a&thentication across forests) @@5 A denial2of2ser,ice attack ma" ha,e taken place) @@9 A &ser initiated the logoff process) @@7 A &ser s&ccessf&ll" logged on to a comp&ter &sing e1plicit credentials 'hile alread" logged on as a different &ser) 4?7 An a&thentication ser,ice CA#E ticket 'as s&ccessf&ll" iss&ed and ,alidated) 4?8 A ticket2granting ser,ice CTK#E ticket 'as granted) 4?= A sec&rit" principal rene'ed an A# ticket or TK# ticket) 4?@ Prea&thentication failed) This e,ent is generated on a Ge" Distrib&tion Center CGDCE 'hen a &ser t"pes in an incorrect pass'ord) 4?4 A&thentication ticket re-&est failed) This e,ent is not generated in Windo's HP or in the Windo's #er,er 7558 famil") 4?? A TK# ticket 'as not granted) This e,ent is not generated in Windo's HP or in the Windo's #er,er 7558 famil") 4?> An acco&nt 'as s&ccessf&ll" mapped to a domain acco&nt) 4>9 Logon fail&re) A domain acco&nt logon 'as attempted) This e,ent is not generated in Windo's HP or in the Windo's #er,er 7558 famil") 4>7 A &ser has reconnected to a disconnected terminal ser,er session) 4>8 A &ser disconnected a terminal ser,er session 'itho&t logging off) Note@ This e,ent is generated 'hen a &ser is connected to a terminal ser,er session o,er the net'ork) Bt appears on the terminal ser,er) Netlo$on &o$on T"(es When man" Fetlogon logon e,ents are logged, a logon t"pe is also listed in the e,ent details) The follo'ing table describes each logon t"pe) Ta/le F Netlo$on &o$on T"(es &o$on t"(e &o$on title ,escri(tion 7 Bnteracti,e A &ser logged on to this comp&ter) 8 Fet'ork A &ser or comp&ter logged on to this comp&ter from the net'ork) = !atch The batch logon t"pe is &sed b" batch ser,ers, 'here processes ma" be e1ec&ting on behalf of a &ser 'itho&t their direct inter,ention) @ #er,ice A ser,ice 'as started b" the #er,ice Control Manager) ? *nlock This 'orkstation 'as &nlocked) > Fet'orkClearte1t A &ser logged on to this comp&ter from the net'ork) The &serAs pass'ord 'as passed to the a&thentication package in its &nhashed form) The b&ilt2 in a&thentication packages all hash credentials before sending them across the net'ork) The credentials do not tra,erse the net'ork in plainte1t Calso called clearte1tE) < Fe'Credentials A caller cloned its c&rrent token and specified ne' credentials for o&tbo&nd connections) The ne' logon session has the same local identit", b&t &ses different credentials for other net'ork connections) 95 RemoteBnteracti,e A &ser logged on to this comp&ter remotel" &sing Terminal #er,ices or Remote Desktop) 99 CachedBnteracti,e A &ser logged on to this comp&ter 'ith net'ork credentials that 'ere stored locall" on the comp&ter) The domain controller 'as not contacted to ,erif" the credentials) Trou/leshootin$ Account &oc#out Bn an en,ironment 'here "o& set the acco&nt locko&t feat&re, "o& ma" notice a large n&mber of locko&ts that occ&r) To determine if these locko&ts are false locko&ts or a real attack6 1. Verif" that the domain controllers and client comp&ters are &p2to2date 'ith ser,ice packs and hotfi1es) /or more information, see the 0Recommended #er,ice Packs and 3otfi1es0 section in this doc&ment) 2. Config&re "o&r comp&ters to capt&re data6 a. Enable a&diting at the domain le,el) b. Enable Fetlogon logging) c. Enable Gerberos logging) /or more information, see the 0Appendi1 T'o6 Kathering Bnformation to Tro&bleshoot Acco&nt Locko&t Bss&es0 section in this doc&ment) 3. Anal"(e data from the #ec&rit" e,ent log files and the Fetlogon log files to help "o& determine 'here the locko&ts are occ&rring and 'h") 4. Anal"(e the e,ent logs on the comp&ter that is generating the acco&nt locko&ts to determine the ca&se) /or more information, see the VAcco&nt Locko&t ToolsW section in this doc&ment) The follo'ing section f&rther describes the acco&nt locko&t tro&bleshooting process) 'o!!on 'auses for Account &oc#outs This section describes some of the common ca&ses for acco&nt locko&ts The common tro&bleshooting steps and resol&tions for acco&nt locko&ts are also described in this section) To a,oid false locko&ts, check each comp&ter on 'hich a locko&t occ&rred for the follo'ing beha,iors6 Pro$ra!s6 Man" programs cache credentials or keep acti,e threads that retain the credentials after a &ser changes their pass'ord) Service accounts6 #er,ice acco&nt pass'ords are cached b" the ser,ice control manager on member comp&ters that &se the acco&nt as 'ell as domain controllers) Bf "o& reset the pass'ord for a ser,ice acco&nt and "o& do not reset the pass'ord in the ser,ice control manager, acco&nt locko&ts for the ser,ice acco&nt occ&r) This is beca&se the comp&ters that &se this acco&nt t"picall" retr" logon a&thentication b" &sing the pre,io&s pass'ord) To determine 'hether this is occ&rring, look for a pattern in the Fetlogon log files and in the e,ent log files on member comp&ters) Oo& can then config&re the sec&rit" control manager to &se the ne' pass'ord and a,oid f&t&re acco&nt locko&ts) >ad Password Threshold is set too low6 This is one of the most common misconfig&ration iss&es) Man" companies set the !ad Pass'ord Threshold registr" ,al&e to a ,al&e lo'er than the defa< ,al&e of 95) Bf "o& set this ,al&e too lo', false locko&ts occ&r 'hen programs a&tomaticall" retr" in,alid pass'ords) Microsoft recommends that "o& lea,e this ,al&e at its defa< ,al&e of 95) /or more information, see 0Choosing Acco&nt Locko&t #ettings for Oo&r Deplo"ment0 in this doc&ment) )ser lo$$in$ on to !ulti(le co!(uters6 A &ser ma" log onto m<iple comp&ters at one time) Programs that are r&nning on those comp&ters ma" access net'ork reso&rces 'ith the &ser credentials of that &ser 'ho is c&rrentl" logged on) Bf the &ser changes their pass'ord on one of the comp&ters, programs that are r&nning on the other comp&ters ma" contin&e to &se the original pass'ord) !eca&se those programs a&thenticate 'hen the" re-&est access to net'ork reso&rces, the old pass'ord contin&es to be &sed and the &sers acco&nt becomes locked o&t) To ens&re that this beha,ior does not occ&r, &sers sho&ld log off of all comp&ters, change the pass'ord from a single location, and then log off and back on) Note Comm&ters r&nning Windo's HP or a member of the Windo's #er,er 7558 famil" a&tomaticall" detect 'hen the &serIs pass'ord has changed and prompt the &ser to lock and &nlock the comp&ter to obtain the c&rrent pass'ord) Fo logon and logoff is re-&ired for &sers &sing these comp&ters) Stored user na!es and (asswords retains redundant credentials@ Bf an" of the sa,ed credentials are the same as the logon credential, "o& sho&ld delete those credentials) The credentials are red&ndant beca&se Windo's tries the logon credentials 'hen e1plicit credentials are not fo&nd) To delete logon credentials, &se the #tored *ser Fames and Pass'ords tool) /or more information on #tored *ser Fames and Pass'ords, see online help in Windo's HP and the Windo's #er,er 7558 famil") Note Comp&ters that are r&nning Windo's <@, Windo's <>, or Windo's Millenni&m Edition do not ha,e a #tored *ser Fames and Pass'ords file) Bnstead, "o& sho&ld delete the &serIs )p'l file) This file is named Username)p'l, 'here Username is the &serIs logon name) The file is stored in the #"stemroot folder) Scheduled tas#s@ #ched&led processes ma" be config&red to &sing credentials that ha,e e1pired) Persistent drive !a((in$s6 Persistent dri,es ma" ha,e been established 'ith credentials that s&bse-&entl" e1pired) Bf the &ser t"pes e1plicit credentials 'hen the" tr" to connect to a share, the credential is not persistent &nless it is e1plicitl" sa,ed b" #tored *ser Fames and Pass'ords) E,er" time that the &ser logs off the net'ork, logs on to the net'ork, or restarts the comp&ter, the a&thentication attempt fails 'hen Windo's attempts to restore the connection beca&se there are no stored credentials) To a,oid this beha,ior, config&re net use so that is does not make persistent connections) To do this, at a command prompt, t"pe net use ?(ersistent@no) Alternatel", to ens&re c&rrent credentials are &sed for persistent dri,es, disconnect and reconnect the persistent dri,e) Active ,irector" re(lication6 *ser properties m&st replicate bet'een domain controllers to ens&re that acco&nt locko&t information is processed properl") Oo& sho&ld ,erif" that proper Acti,e Director" replication is occ&rring) ,isconnected Ter!inal Server sessions6 Disconnected Terminal #er,er sessions ma" be r&nning a process that accesses net'ork reso&rces 'ith o&tdated a&thentication information) A disconnected session can ha,e the same effect as a &ser 'ith m<iple interacti,e logons and ca&se acco&nt locko&t b" &sing the o&tdated credentials) The onl" difference bet'een a disconnected session and a &ser 'ho is logged onto m<iple comp&ters is that the so&rce of the locko&t comes from a single comp&ter that is r&nning Terminal #er,ices) Service accounts6 !" defa<, most comp&ter ser,ices are config&red to start in the sec&rit" conte1t of the Local #"stem acco&nt) 3o'e,er, "o& can man&all" config&re a ser,ice to &se a specific &ser acco&nt and pass'ord) Bf "o& config&re a ser,ice to start 'ith a specific &ser acco&nt and that acco&ntIs pass'ord is changed, the ser,ice logon propert" m&st be &pdated 'ith the ne' pass'ord or that ser,ice ma" lock o&t the acco&nt) Note Oo& can &se the #"stem Bnformation tool to create a list of ser,ices and the acco&nts that 'ere &sed to start them) To start the #"stem Bnformation tool, click Start, click 0un, t"pe win!sd, and then click 7:) 7ther Potential %ssues #ome additional considerations regarding acco&nt locko&t are described in the follo'ing sections) Account &oc#out for 0e!ote 'onnections The acco&nt locko&t feat&re that is disc&ssed in this paper is independent of the acco&nt locko&t feat&re for remote connections, s&ch as in the Ro&ting and Remote Access ser,ice and Microsoft Bnternet Bnformation #er,ices CBB#E) These ser,ices and programs ma" pro,ide their o'n &nrelated acco&nt locko&t feat&res) %nternet %nfor!ation Services !" defa<, BB# &ses a token2caching mechanism that locall" caches &ser acco&nt a&thentication information) Bf locko&ts are limited to &sers 'ho tr" to gain access to E1change mailbo1es thro&gh %&tlook Web Access and BB#, "o& can resol,e the locko&t b" resetting the BB# token cache) /or more information, see 0Mailbo1 Access ,ia %WA Depends on BB# Token Cache0 in the Microsoft Gno'ledge!aseLhttp6MMs&pport)microsoft)comMNid;9?84@>) MSN Messen$er and Microsoft 7utloo# Bf a &ser changes their domain pass'ord thro&gh Microsoft %&tlook and the comp&ter is r&nning M#F Messenger, the client ma" become locked o&t) To resol,e this beha,ior, see 0M#F Messenger Ma" Ca&se Domain Acco&nt Locko&t After a Pass'ord0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;87>>4?) Account &oc#out Tools After "o& determine the pattern for the acco&nt locko&ts and narro' do'n "o&r scope to a specific client comp&ter or member ser,er, "o& sho&ld gather detailed information abo&t all of the programs and ser,ices that are r&nning on that comp&ter) #ome of the information that "o& sho&ld obtain incl&des6 Mapped net'ork dri,es Logon scripts that map net'ork dri,es 0unAs shortc&ts Acco&nts that are &sed for ser,ice acco&nt logons Processes on the client comp&ters Programs that ma" pass &ser credentials to a centrali(ed net'ork program or middle2tier application la"er The follo'ing sections disc&ss the tools that "o& can &se to help "o& gather information from the net'ork en,ironment) The &oc#outStatus.e*e Tool The Locko&t#tat&s)e1e displa"s information abo&t a locked o&t acco&nt) Bt does this b" gathering acco&nt locko&t2specific information from Acti,e Director") The follo'ing list describes the different information that is displa"ed b" the tool6 ,' Na!e6 Displa"s all domain controllers that are in the domain) Site6 Displa"s the sites in 'hich the domain controllers reside) )ser State6 Displa"s the stat&s of the &ser and 'hether that &ser is locked o&t of their acco&nt) >ad Pwd 'ount6 Displa"s the n&mber of bad logon attempts on each domain controller) This ,al&e confirms the )domain controllers that 'ere in,ol,ed in the acco&nt locko&t) &ast >ad Pwd6 Displa"s the time of the last logon attempt that &sed a bad pass'ord) Pwd &ast Set6 Displa"s the ,al&e of the last good pass'ord or 'hen the comp&ter 'as last &nlocked) &oc#out Ti!e6 Displa"s the time 'hen the acco&nt 'as locked o&t) 7ri$ &oc#6 Displa"s the domain controller that locked the acco&nt Cthe domain controller that made the originating 'rite to the &oc#outTi!e attrib&te for that &serE) Where to 7/tain the &oc#outStatus.e*e Tool Locko&t#tat&s)e1e is incl&ded 'ith the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMNLinkBd;949?=) +ow to %nstall the &oc#outStatus.e*e Tool To install the Locko&t#tat&s)e1e tool, install the ALTools package on "o&r domain controller)) +ow to )se the &oc#outStatus.e*e Tool To r&n the Locko&t#tat&s)e1e tool and displa" information abo&t a locked o&t &ser acco&nt6 1. Do&ble2click &oc#outStatus.e*e) 2. %n the ile men&, click Select tar$et) 3. T"pe the &ser name 'hose locko&t stat&s on the enterpriseAs domain controllers "o& 'ant information abo&t) The follo'ing fig&re displa"s an e1ample 'here t'o domain controllers ha,e a /adPwd'ount ,al&e of @, 'hich is also the bad pass'ord threshold) %ne domain controller is the PDC operations master, and the other domain controller is the a&thenticating domain controller) These t'o domain controllers are displa"ed beca&se of pass'ord chaining from the a&thenticating domain controller to the PDC) i$ure 2 The &oc#outStatus.e*e Tool The A&oc#out.dll Tool The ALocko&t)dll tool and the Appinit)reg script are incl&ded in the ALTools package) ALocko&t)dll is a logging tool that ma" help "o& determine the program or process that is sending the incorrect credentials in an acco&nt locko&t scenario) The tool attaches itself to a ,ariet" of f&nction calls that a process might &se for a&thentication) The tool then sa,es information abo&t the program or process that is making those calls into the SystemrootPDeb&gPAlocko&t)t1t file) The e,ents are time stamped so that "o& can match them to the e,ents that are logged in either the Fetlogon log files or the #ec&rit" e,ent log files) Oo& can &se Appinit)reg to initiali(e the )dll file) This file pro,ides no other f&nctionalit") Note Microsoft does not recommend that "o& &se this tool on ser,ers that host net'ork programs or ser,ices) Oo& sho&ld not enable ALocko&t)dll on E1change ser,ers beca&se the ALocko&t)dll tool ma" pre,ent the E1change store from starting) %!(ortant !efore "o& install the ALocko&t)dll tool on an" mission2critical comp&ter, make a f&ll back&p cop" of the operating s"stem and an" ,al&able data) /or more information, see 0Errors Bnstalling E1change #er,er 'ith Clean#'eep0 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;94==89) Bn most acco&nt locko&t scenarios, "o& sho&ld install ALocko&t)dll on client comp&ters) *se the information that is stored in both the Fetlogon log file and the #ec&rit" e,ent log to determine the comp&ters from 'hich the incorrect credentials are being sent that are locking o&t the &serAs acco&nt) When "o& install the ALocko&t)dll tool on the client comp&ter that is sending the incorrect credentials, the tool logs the process that is sending the incorrect credentials) Where to 7/tain the A&oc#out.dll Tool ALocko&t)dll is incl&ded 'ith the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMNLinkBd;949?=) +ow to %nstall the A&oc#out.dll Tool There t'o ,ersions of the ALocko&t)dll file) %ne ,ersion of the file is for comp&ters that are r&nning a Windo's 7555 operating s"stem, and the other ,ersion of the file is for comp&ters that are r&nning a Windo's HP operating s"stem) Vie' the Readme)t1t file that is incl&ded 'ith the ALTools package) To install ALocko&t)dll6 1. %n the comp&ter that has generated acco&nt locko&t error messages in the #ec&rit" e,ent log, cop" both the ALocko&t)dll and Appinit)reg files to the SystemrootP#"stem87 folder ) 2. Do&ble2click the Appinit)reg file to r&n the script) When "o& do this, the ALocko&t)dll file is registered and can begin pro,iding information) 3. Restart the comp&ter to complete the installation) +ow to 0e!ove the A&oc#out Tool To remo,e the ALocko&t)dll file from the comp&ter6 1. Delete the ALocko&t)dll file from the SystemrootM#"stem87 folder) 2. At a command prompt, t"(e re$svr32 ?u aloc#out.dll) 3. Delete the Aloc#out.dll ,al&e that is &nder the follo'ing registr" ke"6 +:=;C&7'A&CMA'+%N=DSoftwareDMicrosoftDWindows NTD'urrent-ersionDWindows A((%nitC,&&s After "o& delete the Aloc#out.dll ,al&e, the A((%nitC,&&s registr" ke" is blank) Restart the comp&ter) +ow to )se the A&oc#out.dll Tool Oo& sho&ld &se the ALocko&t)dll tool 'ith Fetlogon logging and sec&rit" a&diting) To &se the ALocko&t)dll tool6 1. Wait for an acco&nt to lock o&t on the comp&ter) 2. When an acco&nt is locked o&t, the ALocko&t)t1t file is created in the SystemrootPDeb&g folder) 3. Compare e,ent time stamps in ALocko&t)t1t 'ith the time stamps in both the Fetlogon log files and the #ec&rit" e,ent log files) When "o& do this, "o& can determine the process that is ca&sing the locko&ts) Oo& can &se the ALocko&t)dll tool if "o& ha,e alread" set &p Fetlogon logging, as 'ell as Gerberos and logon a&diting on the local comp&ter) ALocko&t)dll does not interfere 'ith an" other logging or e,ent generation) The A&o%nfo.e*e Tool Bf acco&nt locko&ts seem to happen most fre-&entl" after a &ser is forced to change their pass'ord, "o& ma" 'ant to determine 'hich &sersA pass'ords are abo&t to e1pire) Oo& can &se the ALoBnfo)e1e tool to displa" all &ser acco&nt names and the pass'ord age for those &ser acco&nts) This 'ill allo' "o& to &se the ALocko&t)dll tool and other acco&nt locko&t tools to set &p the tools prior to the initial acco&nt locko&t) Oo& can also obtain a list of all local ser,ices and start&p acco&nt information b" &sing the ALoBnfo)e1e tool) Note Oo& can also &se the #ecD&mp tool to displa" pass'ord e1piration information in a Windo's FT #er,er =)5 domain) Oo& can do'nload this tool from the #"stemTools Web siteLhttp6MM''')somarsoft)com) Fote that Web addresses can change, so "o& might be &nable to connect to the Web site or sites mentioned here) Where to 7/tain the A&o%nfo.e*e Tool The ALoBnfo)e1e file is incl&ded 'ith the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMN LinkBd;949?=) +ow to %nstall the A&o%nfo.e*e Tool To install the ALoBnfo)e1e tool, install the ALTools package on "o&r domain controller) The ALTools package contains the ALoBnfo)e1e tool) +ow to )se the A&o%nfo.e*e Tool Oo& can &se ALoBnfo)e1e at a command prompt 'ith either of the follo'ing methods6 To displa" an acco&ntIs pass'ord ages from a domain controller, at a command prompt, t"pe the follo'ing6 aloinfo ?e*(ires ?server@Domain_Controller_Name To displa" all local ser,ice start&p acco&nt information and mapped dri,e information for a &ser 'ho is c&rrentl" logged on, at a command prompt, t"pe the follo'ing command6 aloinfo ?stored ?server@Computer_Name Oo& can redirect the o&tp&t of ALoBnfo)e1e to a te1t file and then sort the res<s to determine 'hich &sers ma" be in,ol,ed in the acco&nt locko&t) This information can also be stored for later anal"sis) The Acct%nfo.dll Tool Oo& can &se the AcctBnfo)dll tool to add ne' propert" pages to &ser ob.ects in the Acti,e Director" *sers and Comp&ters MMC #nap2in) Oo& can &se these propert" pages to help isolate and tro&bleshoot acco&nt locko&ts and to reset a &serIs pass'ord on a domain controller in that &serAs local site) AcctBnfo)dll displa"s the follo'ing &ser acco&nt information that "o& ma" be able to &se to identif" and resol,e acco&nt locko&t iss&es6 Last time the pass'ord 'as set When the pass'ord 'ill e1pire *ser Acco&nt Control Ra' Val&e and Decode Time the acco&nt 'as locked o&t Bf the acco&nt is locked o&t no', 'hen it 'ill be &nlocked #ec&rit" identifier C#BDE of the acco&nt, and its #BD3istor" Kloball" &ni-&e identifier CK*BDE of the acco&nt These acco&nt properties6 Last Logon Last Logoff Last !ad Logon Time Logon Co&nt !ad Pass'ord Co&nt Oo& can also &se the AcctBnfo)dll tool to obtain the domain pass'ord information Ce1piration, locko&t time, and so onE) Oo& can t"pe the &serAs comp&ter name in the tool, and then reset the &serAs pass'ord on a domain controller in that &serAs site) Note !eca&se of replication latenc", domain controllers ma" store different information abo&t the same &ser acco&nt) AcctBnfo)dll displa"s information that is retrie,ed from a single domain controller) Where to 7/tain the Acct%nfo.dll Tool The AcctBnfo)dll tool is incl&ded in the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMNLinkBd;949?=) +ow to %nstall the Acct%nfo.dll Tool %n the comp&ter 'here "o& 'ant to r&n Acti,e Director" *sers and Comp&ters MMC #nap2in6 9) Cop" the AcctBnfo)dll file to the #"stem87 folder) 7) At a command prompt, t"pe re$svr32 acctinfo.dll, and then press EFTER) The AcctBnfo)dll file is registered and is displa"ed on a &serAs propert" sheet in the Acti,e Director" *sers and Comp&ters MMC #nap2in after "o& follo' these steps) To &se the Account &oc#out Status b&tton in the tool, ,erif" that Locko&t#tat&s)e1e is in the SystemrootP#"stem87 folder) Bf Locko&t#tat&s)e1e is not installed in this location, this b&tton is &na,ailable) +ow to )se the Acct%nfo.dll Tool To &se the AcctBnfo)dll tool, open the Acti,e Director" *sers and Comp&ters MMC, right2click a &ser, click Pro(erties, and then click Additional Account %nfo) An e1ample of the information that is pro,ided b" AcctBnfo)dll is sho'n in the follo'ing fig&re) i$ure 3 Main Pro(ert" >o* The follo'ing fig&re displa"s the domain pass'ord polic" information that "o& can ,ie' to determine the pass'ord polic" that applies to the domain controller) i$ure 4 ,o!ain Password Polic" 'han$e Password on a ,o!ain 'ontroller in the )serGs Site The AcctBnfo)dll tool allo's "o& to increase the f&nctionalit" of the Acti,e Director" *sers and Comp&ters MMC b" adding the abilit" to reset a &serAs pass'ord in that &serAs local site) When "o& reset the pass'ord in the remote site, "o& a,oid replication dela"s that can occ&r before that &ser logs on) When "o& reset the pass'ord, "o& can also &nlock the acco&nt and set the )ser !ust chan$e (assword ,al&e) These options are in the 'han$e Password 7n a ,' %n The )sers Site bo1 as displa"ed in the follo'ing fig&re) i$ure F 'han$e Password 7n a ,' %n The )sers Site +ow to 0e!ove the Acct%nfo.dll Tool To remo,e the AcctBnfo)dll tool, delete the AcctBnfo)dll file from the SystemrootM#"stem87 folder, and then t"pe the follo'ing command at a command prompt6 re$svr32 ?u acctinfo.dll The =vent'o!/MT.e*e Tool Oo& can &se the E,entCombMT)e1e tool to gather specific e,ents from e,ent logs from se,eral different comp&ters into one central location) Oo& can config&re E,entCombMT)e1e to search for e,ents and comp&ters) #ome specific search categories are b&ilt into the tool, s&ch as acco&nt locko&ts) Fote that the acco&nt locko&ts categor" is preconfig&red to incl&de e,ents @7<, 4==, 4?@, 4?4, and 4>9) i$ure H The =vent'o!/MT.e*e Tool Where to 7/tain the =vent'o!/MT.e*e Tool The E,entCombMT)e1e tool is incl&ded in the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMN LinkBd;949?=) +ow to %nstall the =vent'o!/MT.e*e Tool Oo& do not need to install this tool separatel") When "o& install ALTools on the domain controller, E,entCombMT)e1e is also installed to the director" "o& specified d&ring set&p) +ow to )se the =vent'o!/MT.e*e Tool To &se the E,entCombMT)e1e tool, open the folder "o& specified d&ring set&p for ALTools, do&ble2click =vent'o!/MT.e*e, click the Searches men&, click >uilt in searches, and then click Account loc#outs) When "o& do this, the e,ents that 'ill be p&lled from the e,ent logs are a&tomaticall" displa"ed in the tool) These e,ents are from all of the domain controllers in "o&r en,ironment) Bn addition to @7<, 4==, 4?@, and 4>9, t"pe .22I4 in the =vent %ds bo1, and then click Search) The tool then searches the comp&ters for these e,ents, and then sa,es them to a )t1t file that "o& specif") The N&Parse.e*e Tool !eca&se Fetlogon log files ma" become more than 95 M! in si(e, "o& ma" 'ant to parse the files for the information that "o& 'ant to ,ie') Oo& can &se the FLParse)e1e tool to parse Fetlogon log files for specific Fetlogon ret&rn stat&s codes) The o&tp&t from this tool is sa,ed to a comma2separated ,al&es C)cs,E file that "o& can open in E1cel to sort f&rther) Note The ret&rn codes that are specific to acco&nt locko&ts are 51C555554A and 51C555578=) The follo'ing fig&re displa"s the interface for the FLParse)e1e tool) i$ure J Netlo$on2Parse 0eturn Status 'odes Where to 7/tain the N&Parse.e*e Tool The FLParse)e1e tool is incl&ded in the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMN LinkBd;949?=) +ow to %nstall the N&Parse.e*e Tool Oo& do not need to install this tool separatel"+ 'hen "o& install ALTools on the domain controller, FLParse)e1e is also installed) +ow to )se the N&Parse.e*e Tool To &se the FLParse)e1e tool, open the folder "o& specified d&ring set&p for ALTools, do&ble2click Nl(arse.e*e, click 7(en to open the Fetlogon)log file that "o& 'ant to parse, select the check bo1es for the stat&s codes that "o& 'ant to search for, and then click =*tract) After "o& do this, ,ie' the o&tp&t from the FLParse)e1e tool) T"picall", "o& ma" 'ant to look at both the 51C555554A and 51C555578= code stat&ses to determine from 'here the locko&ts are coming) The indStr.e*e Tool Oo& can also &se the /ind#tr)e1e tool to parse Fetlogon log files) /ind#tr)e1e is a command2line tool that "o& can &se to parse se,eral Fetlogon)log files at the same time) After "o& gather the Fetlogon)log files from se,eral domain controllers, e1tract information abo&t a specific &ser acco&nt from the files C&ser9, error code 51C555554A, or error code51C555578=E) Oo& can &se this tool to help "o& obtain o&tp&t abo&t a &ser, comp&ter, or error code in the Fetlogon)log files) Where to 7/tain the indStr.e*e Tool The /ind#tr)e1e tool is incl&ded in the defa< installation of Windo's 7555, Windo's HP, and the Windo's #er,er 7558 famil" operating s"stems) Fo additional installation or config&ration is re-&ired for the /ind#tr)e1e tool) +ow to )se the indStr.e*e Tool To &se the /ind#tr)e1e tool, rename the Fetlogon)log files, and then sa,e the files to one folder) To parse all of the Fetlogon log files, t"pe the follo'ing command at a command prompt6 indStr ?% 5)ser.6 KnetlogonK.lo$ Lc@Duser1.t*t The 0e(l!on and 0e(ad!in Tools Bf "o& ha,e not alread" ,erified Acti,e Director" replication on a domain controller, at a command prompt, t"pe re(ad!in ?showre(s or re(l!on to ,erif" that proper Acti,e Director" replication is occ&rring) Bn man" scenarios, "o& ma" find that "o& &nlock an acco&nt b&t the ne' credentials do not 'ork) This beha,ior t"picall" occ&rs beca&se of replication latenc") Change the &serIs pass'ord in their local site to a,oid replication latenc" iss&es) Where to 7/tain the 0el!on and 0e(ad!in Tools !oth of these tools are incl&ded 'ith the s&pport tools on the Windo's 7555 CD2R%M) +ow to %nstall and 'onfi$ure the 0e(l!on and 0e(ad!in Tools /or more information abo&t ho' to obtain and installing Replmon and Repadmin, see the Windo's #&pport Tools doc&mentation) Networ# Monitor Fet'ork Monitor is a po'erf&l tool that "o& can &se to capt&re &nfiltered net'ork comm&nication) Bf the acco&nt locko&t occ&rs beca&se of a process or program and an acco&nt is alread" locked o&t on a specific client comp&ter, gather net'ork traces of all traffic to and from that client comp&ter 'hile the acco&nt is still locked o&t) The program or process most likel" 'ill contin&e to send incorrect credentials 'hile tr"ing to gain access to reso&rces that are on the net'ork) Capt&ring all traffic to and from the client ma" help "o& determine 'hich net'ork reso&rce the process is tr"ing to gain access to) After "o& determine the net'ork reso&rce, "o& can determine 'hich program or process is r&nning on that client comp&ter) Bf "o& can narro' "o&r search to a specific comp&ter b&t the &ser acco&nt is not "et locked o&t, keep r&nning Fet'ork Monitor &ntil the locko&t occ&rs for that &ser) After the locko&t occ&rs, compare the time stamps of e,ents 'hen the in the Fetlogon or #ec&rit" e,ent logs 'ith the data that 'as capt&red in the trace) Oo& sho&ld see that the net'ork reso&rce that is being accessed 'ith incorrect credentials) After "o& identif" a program or ser,ice as the ca&se of the locko&t, ,ie' the soft'are man&fact&rerIs Web site for kno'n resol&tions) This beha,ior t"picall" occ&rs beca&se the program is r&nning 'ith the c&rrentl" logged on &serAs credentials) Bf a ser,ice is ca&sing the locko&t, consider creating acco&nts that are specificall" for r&nning ser,ices so &ser acco&nt pass'ord changes do not affect the ser,ices) Where to 7/tain Networ# Monitor The f&ll ,ersion of Fet'ork Monitor is incl&ded 'ith Microsoft #"stem Management #er,er C#M#E) A limited ,ersion of the tool is incl&ded 'ith Windo's HP and the Windo's 7555 and Windo's #er,er 7558 families) +ow to %nstall Networ# Monitor on Su((orted 7(eratin$ S"ste!s This section describes ho' to install Fet'ork Monitor on both the Windo's 7555 #er,er famil" and Windo's HP) Windows 2000 Server To install Fet'ork Monitor on comp&ters that are r&nning Windo's 7555 #er,er6 1. Right2click M" Networ# Places, and then click Advanced) 2. Click 7(tional networ#in$ co!(onents, and then click Mana$e!ent and Monitorin$) /or more information, see 03%W T%6 Bnstall Fet'ork Monitor in Windo's 75550 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7=87?5) Windows XP Fet'ork Monitor is incl&ded 'ith the Windo's s&pport tools) /or more information abo&t ho' to install and config&re Fet'ork Monitor on comp&ters that are r&nning Windo's HP, ,ie' the follo'ing articles6 03o' to Bnstall the #&pport Tools from the Windo's HP CD2R%M0 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;854?<=) Description of the Fet'ork Monitor Capt&re *tilit" on the Microsoft Gno'ledge !aseL http6MMs&pport)microsoft)comMNid;895>?@) +ow to )se Networ# Monitor /or information abo&t ho' to &se Fet'ork Monitor to capt&re information, ,ie' the doc&mentation that is pro,ided 'ith the tool or read 03o' to Capt&re Fet'ork Traffic 'ith Fet'ork Monitor0 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;9=><=7) Su!!ar" This doc&ment describes the reasons 'h" "o& sho&ld take a str&ct&red approach to setting the acco&nt and pass'ord polic" feat&res) The doc&ment also pro,ides information abo&t the tools and log files that "o& can &se to tro&bleshoot acco&nt locko&ts) After "o& read this doc&ment, "o& sho&ld be able to determine from 'hich comp&ter the acco&nt locko&ts are being generated, as 'ell as the program or ser,ice that is generating the locko&t) A((endi* 7ne@ Additional 0eferences for Account &oc#out /or more information abo&t ho' to lock do'n "o&r en,ironment, as 'ell as for more information abo&t sec&rit" feat&res that are not addressed in this doc&ment, see the follo'ing Microsoft Web sites6 0Microsoft #ol&tion for #ec&ring Windo's 7555 #er,er0 on the Microsoft TechFet Web siteL http6MM''')microsoft)comMtechnetMtree,ie'Mdefa<)aspN &rl;MtechnetMsec&rit"MprodtechMWindo'sM#ecWin7kMDefa<)asp 0Checklist6 Create #trong Pass'ords0 on the Microsoft Web siteL http6MM''')microsoft)comMsec&rit"MarticlesMpass'ord)asp 0Fe' Registr" Ge" to Remo,e LM 3ashes from Acti,e Director" and #ec&rit"0 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;7<<4@4 03%W T%6 Config&re Remote Access Client Acco&nt Locko&t in Windo's 75550 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;895857 03%W T%6 Pre,ent *sers /rom Changing a Pass'ord E1cept When Re-&ired in Windo's 75550 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;85<?<< 03%W T%6 Pre,ent *sers /rom #&bmitting Alternate Logon Credentials in Windo's 75550 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;895845 03%W T%6 Manage #tored *ser Fames and Pass'ords on a Comp&ter in a Domain in Windo's HP0 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;854<<7 0!est Practices for Enterprise #ec&rit"0 on the Microsoft Web siteL http6MM''')microsoft)comMtechnetMtree,ie'Mdefa<)aspN &rl;MtechnetMsec&rit"MbestpracMbpentMbpentsec)asp A((endi* Two@ <atherin$ %nfor!ation to Trou/leshoot Account &oc#out %ssues Oo& can &se the information in this section to help "o& gather information before "o& start to tro&bleshoot acco&nt locko&t iss&es) Collect the follo'ing information to tro&bleshoot acco&nt locko&t iss&es6 'lient Platfor! Bf client acco&nt locko&ts are occ&rring on a single, common operating s"stem, there ma" be specific iss&es 'ith the operating s"stem) Different operating s"stems &se different processes for name resol&tion and a&thentication protocols, and the" ha,e different le,els of sec&rit", so there might be an infrastr&ct&re or program iss&e) /or more information, see the Microsoft Gno'ledge !ase article 0#er,ice Packs and 3otfi1es A,ailable to Resol,e Acco&nt Locko&t Bss&es0 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;>9??59) Oo& sho&ld gather the follo'ing information in these sit&ations6 Do &sers log on to m<iple comp&ters at the same timeN Are there an" common patternsN /or e1ample6 Do the comp&ters ha,e the same mapped dri,esN Do the comp&ters ha,e the same mapped printersN Do the comp&ters ha,e the same anti,ir&s soft'areN Do the comp&ters &se management soft'areN Bs another net'orking client installed on the comp&tersN Bs #M# installed on the comp&tersN Does the net'ork incl&de a Wide Area Fet'ork CWAFEN Bf the comp&ter is r&nning Windo's <@, Windo's <>, Windo's <> #E, or Windo's Millenni&m Edition, 'hat is the ,ersion of the Vredir),1d fileN Bf the comp&ter is r&nning Windo's <@, Windo's <>, Windo's <> #E, or Windo's Millenni&m Edition, is the Director" #er,ices Client installed on the comp&terN ,o!ain Platfor! When "o& kno' the domain en,ironment, the sec&rit" bo&ndaries, and ho' the &ser is gaining access to the reso&rces that are in other domains, "o& can better determine the ca&se of the acco&nt locko&ts) Oo& sho&ld gather the follo'ing information6 The n&mber of domain controllers, incl&ding operating s"stem, location, ser,ice pack le,el, and so on) Bs Acti,e Director" and Fetlogon replication occ&rringN What domain does the &ser log ontoN List all domain tr&sts that the &ser &ses) Bs there a matching acco&nt 'ith the same logon name in the tr&sted domainN Are there an" third2part" #M! ser,ers r&nning in the en,ironmentN >ac#$round Look at the client and the net'ork reso&rces that the &ser might be contacting to help "o& determine the ca&se of the locko&ts) Oo& sho&ld gather the follo'ing information6 When did "o& first notice the locko&tsN When did the locko&ts startN What has changed in the en,ironment Cne' programs, ne' net'ork ser,ices, and so onEN Are there an" identifiable patterns6 After a pass'ord changeN When the &ser logs onN When the &ser gains access to mapped dri,esN When the &ser &ses %&tlookN When the &ser &ses %&tlook Web AccessN Are there no identifiable patternsN 3o' man" &ser acco&nts are locked o&t each da", a small gro&p of &sers or a large gro&pN Bs there an acco&nt pass'ord polic"N 3o' man" bad attempts are allo'ed before a locko&t occ&rsN 3o' m&ch time m&st elapse before the co&nt resetsN What is the &oc#out,uration registr" ,al&eN <atherin$ ,ia$nostic %nfor!ation Kather all of the different log files from Fetlogon, Gerberos, and the e,ent logs to help "o& determine the ca&se of the locko&t) Diagnostic information that "o& gather from the comp&ter from 'hich the locko&t is originating ma" help "o& determine the ca&se for the locko&t) Oo& sho&ld gather the follo'ing information6 Fetlogon log files Traces E,ent log files from client comp&ters and domain controllers that are in,ol,ed in the locko&t