Access Denied: Configuring a Separate Lockout Policy for Remote Access

Can we depend on our domain account lockout policy to protect us from attackers trying to use our remote access VPN server to guess passwords? Can we enforce separate domain account lockout policies on internal and external connection attempts so that we can put in place a stronger lockout policy on remote access connection attempts?

The short answer to both questions is yes. Your domain's account lockout policy applies to failed authentication attempts that originate from outside your LAN (i.e., remote access attempts) as well as those that originate within your LAN. And you can treat remote access authentication attempts differently from internal logon attempts.

Windows supports a separate and distinct lockout mechanism for remote access clients. You can manually configure this mechanism through the registry on the server on which remote access authentication takes place. If your VPN server runs RRAS and uses the Windows authentication mode, configure the remote access lockout policy on that server's registry. If your VPN server uses Remote Authentication Dial-In User Service (RADIUS) to authenticate against an Internet Authentication Service (IAS) server, configure the remote access lockout policy in the IAS server. To check which type of authentication your VPN server uses, open the Microsoft Management Console (MMC) Routing and Remote Access snap-in, select your server, and open its properties. Select the Security tab and look at the authentication provider, which will be either Windows Authentication or RADIUS Authentication. If you use RADIUS Authentication, click Configure to see what RADIUS server your VPN server uses.

To configure the lockout mechanism for remote access clients, you need to configure two REG_ DWORD values in the HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServices RemoteAccessParametersAccount Lockout registry subkey. You need to set MaxDenials to a value of 1 or higher to enable account lockout. MaxDenials specifies how many failed attempts Windows allows before locking the account. The second value, ResetTime (mins), specifies the time period within which the MaxDenials number of failed attempts must occur before Windows locks out the account. For example, if you set MaxDenials to three and ResetTime (mins) to 1440, Windows would lock the account if three consecutive authentication failures occurred within any 24-hour time period. After setting the MaxDenials and ResetTime values, restart RRAS and IAS.

Windows counts only consecutive failed attempts toward the MaxDenials value. For example, if a user fails authentication twice in a row, then succeeds, disconnects, and unsuccessfully tries to connect again within the same day, Windows wouldn't lock out the user. When Windows uses this policy to lock out an account, the OS locks out the user only from remote access connections. The domain controllers (DCs) continue to handle failed logons from the intranet the usual way (i.e., by using the account lockout policy you've defined for the domain in the Default Domain Policy Group Policy Object—GPO), and the domain continues to count failed remote access connections.

For example, say that your domain is configured to lock out accounts after five failed logons within 8 hours and your remote access lockout policy is configured for three failed logons within 24 hours. An attacker on the Internet fails two consecutive logon attempts on Fred's account. Fred then plugs in his laptop at the office and successfully logs on with his first attempt. At this point, the VPN server is poised to lock out Fred's account after one more failure from the Internet, but the domain resets its counter for Fred to 0 because he logged on successfully through the intranet. If the attacker continues and fails another authentication attempt, Windows would lock out Fred's account for remote access. The DC would then be ready to lock out his account for all types of logon after four more failures, whether those failures originate from within or outside the intranet.

You can configure the domain account's lockout policy to automatically unlock an account after a specified amount of time. However, you must always manually unlock accounts that the remote access lockout policy locks out. To unlock accounts manually, navigate to the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesRemoteAccessParametersAccountLockout registry subkey. If Fred is in the Acme domain, you should see a key named ACME:fred. Delete this key to let Fred attempt remote access again.