Attacks against identity and access systems like AD FS are quite common nowadays. Feature called Extranet Account Lockout was introduced in Windows Server 2012 R2 to prevent attacks these kinds of attacks. When in use, AD FS will stop sending authentication requests to domain controller from an external network when a threshold is reached.
AD FS Smart Lockout (ESL) is a new feature in Windows Server 2016 introduced originally in March cumulative update but postponed due to technical issues to June. It prevents Denial of Service attacks without locking on-premises Active Directory account (like password spray – trying the same password on all user accounts and brute-force attacks – trying multiple passwords for one user account.
What’s the Difference with “Extranet Account Lockout” and “Smart Lockout”?
The main differences are:
- Usage of AccountActivity table in ESL
- ESL works only with W2016 AD FS
- In Extranet Account Lockout incoming authentications are handled inside same counter and service doesn’t keep track familiar locations and malicious IPs.
The Extranet Smart Lockout (ESL) enables AD FS to differentiate between sign-in attempts with a usage of AccountActivity table in AD FS database. As a result, AD FS can lock out attackers while letting valid users continue to use their accounts which helps to prevent denial-of-service on the user and protects against targeted attacks.
Key features in Smart Lockout (from docs.microsoft.com)
- When authentication is successful, client IP-address is saved as familiar locations to artifact database table called “AccountActivity” in ADFS.
- If password-based authentication fails and the credentials do not come from a familiar location, the failed authentication count is incremented.
- After the number of failed password attempts from unfamiliar locations reaches the lockout threshold, if password-based authentication from an unfamiliar location fails, the account is locked out.
- Users who are coming from familiar location doesn’t experience any lockouts because familiar lockouts are handled with separate counter.
Configuration options for Extranet Smart Lockout (ESL)
- ADPasswordCounter – Legacy AD FS “Extranet Soft Lockout” mode, which does not differentiate based on location and is default mode in W2016 ADFS
- ADFSSmartLockoutLogOnly – Extranet Smart Lockout, logging mode
- ADFSSmartLockoutEnforce – Extranet Smart Lockout, enforced mode
Enabling Smart Lockout
Before making any configurations installation of June update rollup is needed (KB4284880) is needed to all farm AD FS instances.
Recommendation is to configure ADFS Smart Lockout to logging mode for a couple of days to make sure that your configuration is working as expected. I have let this service run in logging mode for one (1) week before changing it to enforce mode. Following commands in PowerShell are needed to configure necessary settings.
Configure Extranet Lockout
#Configure permissions to new AccountActivity table in ADFS Artifact store (ADFS administrator credentials are needed)
- $cred = Get-Credential
- Update-AdfsArtifactDatabasePermission -Credential $cred
#ADFS Auditing Enabled
- From local group policy editor or by local group policy editor
- computer configuration – Windows settings – security settings – advanced audit policy – system audit policies (local) – object access – application generated – success & failure
- auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable
- Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information
#Set lockout threshold, observation window and enable lockout(these values needs to mapped to AD DS password policy to avoid account lockout in AD DS)
- Set-AdfsProperties -ExtranetLockoutThreshold 4
- Set-AdfsProperties -ExtranetObservationWindow ( new-timespan -minutes 15 )
- Set-AdfsProperties -EnableExtranetLockout $true
#Set Smart Lockout loggin mode
- Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly
- Restart-Service adfssrv
#When ready to change to enforce mode run this command
- Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce
How it looks in action?
When launching SQL Management Studio and connecting to WID database add this string to the server name field: \\.\pipe\MICROSOFT##WID\tsql\query
AccountActivity table where information of known IPs are saved
Extranet Account Lockout settings in Enforced mode. These values need to be mapped to on-premises Active Directory password policy instructed in Extranet Account Lockout configuration guidance.
If the user hasn’t logged to ADFS or service has just been started there isn’t nothing to show in the database
After multiple failures, my account has been locked out from unknown IPs but the user is able to login from familiar IPs
Naturally account stays active at on-premises Active Directory
Finally, the AccountActivity table where information is actually stored.
Lately extremely valuable features has been published around Hybrid Identity security like Extranet Smart Lockout, Extranet Banned IPs and Azure AD Password Protection for Windows Server Active Directory. First two would be the main reasons for upgrade your AD FS farm to W2016 level. By configuring ADFS Smart Lockout you keep your users connected and productive at internal network even case of attack.