Active Directory Active Directory Federation Services Security

ADFS – Extranet Smart Lockout (ESL)

Since June 2018, There is this new feature for your AD FS 2016 infrastructure called Extranet Smart Lockout (ESL). The feature is similar to the one present in the Azure cloud called Azure AD Smart Lockout.

The feature let you differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. As a result, AD FS can lock out attackers while letting valid users continue to use their accounts. This prevents denial-of-service on the user and protects against targeted attacks.

This feature only works for the extranet scenario where authentication requests come through the Web Application Proxy and only applies to username and password authentication.

Advantages of Extranet Smart Lockout in AD FS 2016

Combining the extranet soft lockout features from AD FS 2012 R2 with the extranet Smart Lockout from AD FS 2016 we gain the following key advantages :

  • Protects your user accounts from brute force attacks in which an attacker tries to guess a user’s password by continuously sending authentication requests.
  • Protects your user accounts from Active Directory account lockout from malicious authentication requests with wrong passwords. In this case, although the user account will be locked out for extranet access, the user can still login to AD from the corporate network. This is known as a soft lockout.
  • Protects your users from experiencing extranet account lockout from malicious authentication requests. Smart lockout will prevent potentially malicious requests from unfamiliar locations while allowing the real user to sign on from the extranet from familiar locations (locations from which the user has successfully logged in before).
  • Has a log only mode so that the system can learn good and potentially malicious sign-on activity without locking out any accounts

How-to implement

  1. Update fully your AD FS servers in your farm with the latest Windows updates
  2. Update the AD FS artifact database permissions

Extranet smart lockout requires the creation of a new table in the AD FS artifact database. You need to have an account that has AD FS administrator permissions .This should provide the write permissions to create the table.

C:\>$cred = Get-Credential 
C:\>Update-AdfsArtifactDatabasePermission -Credential $cred

$cred = AD FS account with the permissions.

The commands above may fail due to lack of sufficient permission because your AD FS farm is using SQL Server, and the credential provided above does not have admin permission on your SQL server. In this case, you can configure database permissions manually in SQL Server Database by running the following command when you’re connected to the AdfsArtifactStore database.

ALTER AUTHORIZATION ON SCHEMA::[ArtifactStore] TO [db_genevaservice]

Configure ESL

A new parameter that is named ExtranetLockoutMode is added to support ESL. It contains the following values:

  • ADPasswordCounter–This is the legacy AD FS “extranet soft lockout” mode, which does not differentiate based on location. This is the default value.
  • ADFSSmartLockoutLogOnly–This is Extranet Smart Lockout. Instead of rejecting authentication requests, AD FS writes admin and audit events.
  • ADFSSmartLockoutEnforce–This is Extranet Smart Lockout with full support for blocking unfamiliar requests when thresholds are reached.
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

In this mode, AD FS performs the analysis but does not block any requests because of lockout counters. This mode is used to validate that smart lockout is running successfully before it enables “enforce” mode. The ADFSSmartLockoutLogOnly mode is used to validate that smart lockout is running and to enable AD FS to “learn” familiar locations for users. Once you have been running in log only mode for sufficient time for AD FS to learn login locations and to observe any lockout activity, and once you are comfortable with the lockout threshold and observation window, smart lockout can be moved to “enforce” mode.

For the new mode to take effect, restart the AD FS service on all nodes in the farm.

Restart-service adfssrv

Two key settings for ESL

Lockout threshold setting

Every time that a password-based authentication is successful, AD FS stores the client IPs as familiar locations in the account activity table.

If password-based authentication fails and the credentials do not come from a familiar location, the failed authentication count is incremented.

After the number of failed password attempts from unfamiliar locations reaches the lockout threshold, if password-based authentication from an unfamiliar location fails, the account is locked out.

Lockout continues to apply to familiar locations separately from this new unfamiliar lockout counter.

AD FS extranet lockout functions independently from the AD lockout policies so its recommanded that you set the ExtranetLockoutThreshold value to a value less than the AD account lockout threshold.

Set-AdfsProperties -ExtranetLockoutThreshold 10

Observation window setting

The observation window setting allows an account to automatically unlock after some time. After the account unlocks, one authentication attempt is allowed. If the authentication succeeds, the failed authentication count is reset to 0. If it fails, the system waits for another observation window before the user can try again.

Set-AdfsProperties -ExtranetObservationWindow ( new-timespan -minutes 5 )

Enable lockout

Extranet lockout can be enabled or disabled with those commands.

Set-AdfsProperties -EnableExtranetLockout $true
Set-AdfsProperties -EnableExtranetLockout $false

 

Managing ESL

Manage user account activity

  • Get-ADFSAccountActivityRead the current account activity for a user account. The cmdlet always automatically connects to the farm master by using the Account Activity REST endpoint. Therefore, all data should always be consistent
    Get-ADFSAccountActivity user@contoso.com
  • Set-ADFSAccountActivityUpdate the account activity for a user account. This can be used to add new familiar locations or erase state for any account.
    Set-ADFSAccountActivity user@contoso.com -FamiliarLocation “1.2.3.4”
  • Reset-ADFSAccountLockoutResets the lockout counter for a user account
    Reset-ADFSAccountLockout user@contoso.com -Familiar

Troubleshooting

Updating database permissions

If any errors are returned from the Update-AdfsArtifactDatabasePermission cmdlet, verify the following:

  • Verification will fail if nodes are on the farm list but are no longer members of the farm. This can be fixed by running remove-adfsnode <node name>.
  • Verify that the update is deployed on all nodes in the farm.
  • Verify that the credentials that are passed to the cmdlet have permission to modify the owner of the AD FS artifact database schema.

Logging/auditing

When an authentication request is rejected because the account exceeds the lockout threshold, AD FS will write an ExtranetLockoutEvent to the security audit stream.

Example logged event

Uninstall

SQL Server database farms can uninstall the update by using the Settings application without issue.

WID database farms must follow these steps because of the updated WID database verification binary:

  1. Run the Uninstall psh script that stops the service and drops the account activity table.
    Stop-Service adfssrv -ErrorAction Stop 
    
    $doc = new-object Xml
    $doc.Load("$env:windir\ADFS\Microsoft.IdentityServer.Servicehost.exe.config")
    $connString = $doc.configuration.'microsoft.identityServer.service'.policystore.connectionString
    
    if ( -not $connString -like "*##wid*" )
    {
        Write-Error "SQL installs don't require DB updates, skipping DB table drop"
    }
    else
    {
    	$connString = "Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsArtifactStore;Integrated Security=True"
    	stop-service adfssrv
    	$cli = new-object System.Data.SqlClient.SqlConnection
    	$cli.ConnectionString = $connString
    	$cli.Open()
    	try
    	{    
            $cmd = new-object System.Data.SqlClient.SqlCommand
            $cmd.CommandText = "IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[ArtifactStore].[AccountActivity]') AND type in (N'U')) DROP TABLE [ArtifactStore].[AccountActivity]"
            $cmd.Connection = $cli
            $cmd.ExecuteNonQuery() 
        }
        finally
        {
            $cli.CLose()
        }
    
    	write-warning "Finish removing the patch using the Settings app and then restart the complete to complete the uninstall"
    }
  2. Uninstall the update by using the settings application.
  3. Restart the computer.

 

Advertisements

0 comments on “ADFS – Extranet Smart Lockout (ESL)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: