see Password Filters (http://go.microsoft.com/fwlink/?LinkId=205613).
Active directory account lockouts
Active DirectoryPassword PoliciesPrevent Account Lockout Issuesin Enterprise Environments
Overview• Most Enterprise administrators and security teams willrecommend that account and password policies areimplemented to help safeguard passwords and protect thenetwork.• There are multiple components within the policies that whencombined will provide protection and deterrence in differentways, each can be tuned to provide the optimal balancebetween security, user inconvenience, and support costs.• There is no substitute for user education – providing clearguidance on how to create a decent password will help usersnot only on the corporate network, but also with theirpersonal systems such as Twitter and Facebook
Common Causes• Cached Credentials:– When a user has to change their password (due to expiryor forgotten), it is highly likely that their old passwords willbe stored on their mobile/smartphone, iPad or othersystem. If that system continues to attempt authenticationwith the old credentials the account will be locked out.• System Error:– Many modern systems are programmed to attemptauthentication 3 or more times in rapid succession (theseshow in the logs as occurring within a few seconds) –quicker than a user could do manually. This results in theaccount locking out with only a few attempts by the user.
Common Causes• Account/Password Expiry:– Accounts and passwords can be set to expire at a certaindate. If the user does not request an extension, or resetthe password before expiration, the account will fail toauthenticate until this action is taken.• User Error:– There is no getting away from the fact that users will makeerrors. I’ve done this by leaving the Cap Lock on, forgettingthe password after a long holiday, or mixing up passwordsbetween different systems.
Password PolicyPasswordPolicyExplanation LowSecurity, LowCostHighSecurity, HighCostBalancedViewPwd History Determines how many old passwords are rememberedUsed to prevent users re-using old passwords0 24 24Max pwdage (days)Maximum number of since last password change. 30 90 60Min pwdage (days)Determines how old the password must be before theuser can change it again. When combined with PwdHistory, this deters re-use of old passwords.0 1 0Min pwdlength8 is a bare minimum, combined with complexitysettings.8 15+ 10Complexity The default policy will ensure 3 out of 5 categories areuse:1.Uppercase Characters: A-Z2.Lowercase Characters: a-z3.Numerics: 0-94.Special Characters: !"£$%^&*() etc.5.Unicode CharactersAn enhanced filter can be applied to ensure this ismore complexEnabled Enhanced Enhanced
Account Lockout PolicyLockout Policy Explanation Low Security,Low CostHigh Security,High CostBalancedViewLockout Duration(minutes)Allows the account to automatically rest aftergiven period of time, prevents the need foradmin intervention, unless this is set to 0 (zero)15 0 30-60Lockout threshold(invalid attempts)The number of invalid attempts allowed beforethe account is locked out50 4 20-30Reset counter(minutes)Period of time since last invalid attempt beforecounter is reset.5 24 hours 24 hoursBy combining these 3 settings, along with the Max Pwd Age, it ispossible to create a secure policy that allows for some of themost common account lockout scenarios. This will lower thesupport costs and improve user productivity by reducing thefrequency of account lockouts.
Account Policy VariablesAs this chart shows, if you increase the Reset Counter, you reduce the number ofattempts on bad passwords, I recommend 24 hours for better securityThis in turn allows for an increase in the Bad Pwd Attempts threshold, tosomething more reasonable for a modern day infrastructure, I recommend 20-50Number of possible Attempts in 24 hoursNote: an attacker would not be able to reach these limits without locking the account out, so would be one less than the actual thresholdReset: 5 min 10 min 20 min 1 hr 2 hrs 4 hrs 8 hrs 24 hrsThreshold 5 10 20 60 120 240 480 14405 1,440 720 360 120 60 30 15 510 2,880 1,440 720 240 120 60 30 1020 5,760 2,880 1,440 480 240 120 60 2030 8,640 4,320 2,160 720 360 180 90 3040 11,520 5,760 2,880 960 480 240 120 4050 14,400 7,200 3,600 1,200 600 300 150 50100 28,800 14,400 7,200 2,400 1,200 600 300 100
Account Policy VariablesCompare this chart tothe previousone, adjusting for thenumber of days set asyour Max Pwd AgeNumber of possible attempts in x DaysMax Pwd Age: 30 Days 60 Days 90 DaysAttempts in 24 hrs 30 60 905150 300 45010300 600 90020600 1,200 1,800501,500 3,000 4,5001003,000 6,000 9,00050015,000 30,000 45,0001,00030,000 60,000 90,0005,000150,000 300,000 450,00010,000300,000 600,000 900,00015,000450,000 900,000 1,350,00050,0001,500,000 3,000,000 4,500,000
Myth 1Theory:The more complex the password, and the more often a userchanges their password, the less likely an attacker will crack theirpasswordReality:When a user is forced to create complex passwords, and changethem too often they eventually forget them and end up writingthem down
Myth 2Theory:The lowest threshold for bad password attempts (3-6) is moresecure than a higher threshold (20-50)Reality:This is only one setting, it has to be paired with the ResetCounter and Lockout Duration to be truly effective:Bad Pwd Threshold 5 5 20 20 50 50Reset Counter 5 min 24 hrs 5 min 24 hrs 5 min 24 hrsPossible Attempts 1,440 5 5,760 20 14,400 50
SummaryYou should be able to compare your current settings with theinformation in this presentation. Use this to guide your decision onhow best to adjust your policies.If you are experiencing a high volume of account lockouts, this is thefirst, and quickest, step in resolving those issues. If you can increasethe number of lockouts to between 20 and 50, then any remainingproblems you experience will be few enough to allow you get detailedscenario and technical information to troubleshoot and diagnose (startby using the AccountLockout tools from Microsoft.I hope this information is useful to you, if you have any question pleasefeel free to contact me: http://about.me/rdiver