Column
Zubair's Security Zone
How To Enable Remote Access Client Account Lockout
User account lockout is a great tool for keeping your network secure. Here's how to make sure that security extends to your remote access users.
by Zubair Alexander
6/15/2007 -- User account lockout is a security measure that's available in Windows Server that locks the user's account after a certain number of invalid log-on attempts. The idea is to prevent a hacker from having unlimited chances to guess a user's account name and password. This reduces the likelihood of hackers accessing your network using brute force attacks (such as dictionary attacks).
However, did you know that the account lockout security feature that you see in Active Directory Users and Computers is managed separately for remote access users?
You'll have to hack the registry and manually configure the settings if you want remote access users to benefit from the same account lockout feature that the users on the local network do. In other words, when you configure the account lockout feature on your network, it doesn't apply to remote access users (as explained in Microsoft knowledgebase article 816118).
Remote access users are users who either dial-in or connect to the company network using a virtual private network (VPN) connection. Notice that on the Dial-in tab (see Figure 1) of the user's properties, it clearly indicates that remote access settings apply to both dial-in and VPN connections.
[Click on image for larger view.] |
Figure 1. Configuring remote access permissions for an individual user. |
Typically, the permissions for remote access are configured via remote access policy, but they can also be configured on individual user accounts. Permissions configured on individual user accounts, as shown in Figure 1, override the permissions configured in remote access policies.
Configuring Account Lockout at Domain Level
To configure account lockout in Windows Server 2003, you need to configure the Domain Security Policy. Here's the step-by-step procedure for configuring the Domain Security Policy for account lockout.
1. Go to Start, Administrative Tools and select Domain Security Policy, which will start the Default Domain Security Policy console.
2. Expand Account Policies and go to Account Lockout Policy.
3. Configure the Account Lockout Threshold based on your company policy. For example, you can configure the policy to lock user accounts after 5 invalid log-on attempts. Also configure the account lockout duration and the option to reset the account lockout counter after a certain number of minutes.
4. At the command prompt, type gpupdate /force to refresh the group policy.
Account policies in Windows Server (2000/2003) are only applied at the domain level. For example, if you configure a minimum password length at an Organizational Unit (OU) level, it has no meaning whatsoever. The option appears in all the OUs but is meaningless.
I hope that one of these days, Microsoft developers will figure out a way to either remove this option from all group policies except the domain policy. Or they'll put a flag so when you click on the policy, it tells you that this option only applies at the domain level.
Of course, the best scenario will be to allow configuring different password policies for each OU, similar to Novell. Novell allows you to set a different password policy for an OU, a user object or an individual application.
|
|
|
Enabling Account Lockout for Remote Access Users
By default, account lockout is turned off for remote access users. To enable this feature, you need to use the following procedure by modifying the registry. As usual, modify the registry at your own risk.
1. Start the registry editor (regedit.exe).
2. Go to HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout.
3. In the right-hand pane, double-click MaxDenials. Notice that the default value is set to zero so account lockout is disabled for remote access users.
4. Enter a number for the maximum invalid attempts that you want to allow in the Value data box (for example, 5).
5. Double-click the ResetTime (mins) value and enter a number in minutes. Notice that the default value is 2,880 minutes (two days). Enter a number in decimal for minutes; for example, enter 120 as a decimal value in the Value data box to reset the counter after 2 hours (see Figure 2).
6. Close the registry editor.
[Click on image for larger view.] |
Figure 2. Enabling account lockout for remote access users in the registry. |
Depending on the authentication method you're using, make sure that you modify the registry on the correct server. For example, if you're using Microsoft's RADIUS server, also known as Internet Authentication Server (IAS), then configure the registry on that server.
Using the settings in this article as an example, if a remote access user is locked out after five invalid attempts, he/she will be able to try again after the counter is reset in two hours. However, if you'd like to unlock the remote access user right away and not wait two hours, you can manually delete the DomainName:Username (e.g., Microsoft:Billg) value in the registry located in the same location where you enabled the lockout feature: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout.
Conclusion
If your company is using the account lockout feature on your domain and you also have remote access users who dial-in or use a VPN connection to your network, it's important to understand that they're not affected by the account lockout feature by default. Unless you manually configure your remote access servers and modify the registry, the remote access users -- and your network -- will remain at risk from hackers.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at .
|