Home  Tutorials  Active Directory

Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls

This article was created to provide guidance to TechNet forum and other Microsoft users who have been investing into perfecting their AD DS Password and Lockout Policies while they kept fighting with the increased operational activities to support them. It is particularly targeting those who are considering using lockout policies and are having difficulties to troubleshoot lockouts.


Most of organizations are currently highly aware about the need of securing the platforms especially securing the identities given the possible impact if compromised on the systems availability, integrity and confidentiality. While considering to have a secure implementation, it is important to know that you can be highly secure with low operational difficulties to maintain the setup and a higher user satisfaction.


What are the common difficulties?


The following are the difficulties you can encounter through using “highly secure” Password and Lockout Policies:


·        Password Policies: It is generally advised to have long passwords, meeting complex criteria with regular password changes. However, even with having very long and complex passwords, this does not mean you are really secure. Nowadays hackers clearly understood that they need it is easy to have social engineering attacks (Like phishing) to get the users passwords instead of using brute force and dictionary attacks. It may be as well easier to hack an unsecure web portal and insert a code that will capture the credentials for the connecting users prior to send them to the hacker. On the other side, the more complex are your password policies requirements, the most unsatisfied users you will get. In addition, with everything going mobile, it becomes trickier now to manage password changes so your users are very unlikely to become unhappier if you increase the frequency of the changes. Also, many users found tips to work around their password hassles which will make you think you are secure but you are not at the end of the day: You end user password could be “P@ssw0rd123” then changed to “P@ssw0rd1234”. While it will meet all your password policy requirements, a hacker who knows the previous password will know the new one as well.

·        Lockout Policies: Lockout Policies are generally implemented to mitigate against brute force and dictionary attacks. While this remains true, the side effect of it is that it will block your real user from working when his/her account is locked. While new systems tend to add a blocking per IP address, this does not entirely fix the issues especially if your users have to connect through a web proxy. Imagine that your CEO is about to give a presentation from his/her PC and he/she has to login to show the PowerPoint slides but this is not possible as his/her account is locked. Imagine as well that some extracts the list of your user accounts and will send a massive number of failed logon attempts just to block all of your company users. This will take tremendous efforts to troubleshoot especially if the logons are not initiated from an AD-Integrated machine and your business users could be completely blocked until you find a solution. This shows how disruptive a lockout policy could be so you should not forget about it.


The examples above show that there is no perfect Password and Lockout Policies you can apply. In addition, password protections are fundamentally flawed and could be easily comprised.


How to proceed now?


As mentioned above, no password or lockout policy could be perfect and you are certainly looking into having secure platforms while increasing the user acceptance and decreasing their dissatisfaction. The following shares a couple of alternatives you can consider:


·        Use Multi-Factor Authentication: You can consider implementing at least a two-factor authentication system based on something you know (Your credentials) and something you have (Your phone). A typical example would be to allow a two-factor authentication system which asks you for your credentials and calls your phone to acknowledge your identity before allowing you to access. Apart from given the end users the feeling that you are highly secure, you no longer need to have very complex passwords to manage. If the first factor (credentials) are compromised then it will be tricky to compromise the second one as well. Microsoft provides Azure Multi-Factor Authentication that you can consider to implement as well as other vendors on the market who are as well very reputed for their two-factor authentication implementations. As a recommendation, you may want to consider having an SSO for the two-factor authentication to make it easier for your end users to connect to multiple platforms managed by the same two-factor authentication system (e.g if you go to application A then you will be prompted for your credentials and you have to answer a phone call while if you go to application B you can login directly given that your identity has already been validated)

·        Use other compensating controls: Instead of having a lockout policy, you can consider using other compensating controls. This may include and is not limited to using Microsoft Advanced Threat Analytics (In case of a brute force or dictionary attacks, you will get alerted without blocking your users and you or your service desk can act on the attack: As long as it does not end up with a successful authentication, you still can think about the right way to act). In addition, with two-factor authentication in use, you will be more reassured given that compromising the credentials does not mean that hackers can use them. Another technique which applies to organizations with strict business hours is to allow account logon only during the business hours which will protect them from most of the attacks which are expected to happen outside of those hours.


Are there other items to consider?


Yes, you certainly use service accounts to run your services. It remains a good practice to have very complex passwords for service accounts (e.g 20 characters with complexity enabled and regular password changes if possible). While a complex password will certainly be affordable here and will not impact your users, you should be careful about a lockout policy applied on your service accounts as locking the account will result in a service unavailability.