Extranet ADFS Lockout - Logging (learning) Only
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection
Log into ADFS01
open powershell and type the following commands using the ADFS service account
$cred = Get-Credential
Update-AdfsArtifactDatabasePermission -Credential $cred
at the command prompt type Services.msc to open services.
**Confirm Windows remote management is started and set to automatic.
Type the following command
Get-AdfsProperties |select Extranet*
confirm the following output.
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutMode : ADPasswordCounter
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True
Type the following commands to change the Lockout policy.
set-adfsproperties -ExtranetLockoutMode adfssmartlockoutlogonly
set-adfs -ExtranetLockoutThreshold 4
*this sets the account lockout to 4
set-adfsproperties -ExtranetObservationWindow 01:00:00
Remove the requirement for PDC.
set-adfsproperties -ExtranetLockoutRequirePDC $False
Run the command again
Get-AdfsProperties |select Extranet*
confirm the following output.
ExtranetLockoutThreshold : 4
ExtranetLockoutMode : adfssmartlockoutlogonly
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 01:00:00
ExtranetLockoutRequirePDC : False
Enable the lockout policy.
set-adfsproperties -ExtranetLockoutEnabled $True
Restart the ADFS Service on all servers
ADFS01
ADFS02
WAP01
WAP02
implementation plan.
Confirm updates for all servers
ADFS01
ADFS02
WAP01
WAP02
Remediate patch level to be the same as required.
Impact
Reboot servers as required in staggered reboot order. – No Outage anticipated.
confirm service restart and move to test plan.
TEST PLAN
Confirm the following are in the Audit logs.
Observing Audit Events
AD FS will write extranet lockout events to the security audit log:
·When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
·When AD FS receives a login attempt for a user who is already in lockout state
While in log only mode, you can check the security audit log for lockout events. For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.
Example event:
Log Name: Security
Source: AD FS Auditing
Date: 5/21/2018 12:55:59 AM
Event ID: 1210
Task Category: (3)
Level: Information
Keywords: Classic,Audit Failure
User: CONTOSO\adfssvc
Computer: ADFS2016FS1.corp.contoso.com
Description:
An extranet lockout event has occurred. See XML for failure details.
Activity ID: fa7a8052-0694-48f0-84e2-b51cde40ac3d
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ExtranetLockoutAudit">
<AuditType>ExtranetLockout</AuditType>
<AuditResult>Failure</AuditResult>
<FailureType>ExtranetLockoutError</FailureType>
<ErrorCode>AccountRestrictedAudit</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>http://fs.contoso.com/adfs/services/trust</RelyingParty>
<ClaimsProvider>N/A</ClaimsProvider>
<UserId>CONTOSO\user</UserId>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>N/A</Server>
<AuthProtocol>WSFederation</AuthProtocol>
<NetworkLocation>Extranet</NetworkLocation>
<IpAddress>64.187.173.10</IpAddress>
<ForwardedIpAddress>64.187.173.10</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>ADFS2016PROXY2</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36</UserAgentString>
<Endpoint>/adfs/ls/</Endpoint>
</Component>
<Component xsi:type="LockoutConfigAuditComponent">
<CurrentBadPasswordCount>5</CurrentBadPasswordCount>
<ConfigBadPasswordCount>5</ConfigBadPasswordCount>
<LastBadAttempt>05/21/2018 00:55:05</LastBadAttempt>
<LockoutWindowConfig>00:30:00</LockoutWindowConfig>
</Component>
</ContextComponents>
</AuditBase>
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Auditing" />
<EventID Qualifiers="0">1210</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x8090000000000000</Keywords>
<TimeCreated SystemTime="2018-05-21T00:55:59.921880300Z" />
<EventRecordID>35521235</EventRecordID>
<Channel>Security</Channel>
<Computer>ADFS2016FS1.contoso.com</Computer>
<Security UserID="S-1-5-21-1156273042-1594504307-2076964089-1104" />
</System>
<EventData>
<Data>fa7a8052-0694-48f0-84e2-b51cde40ac3d</Data>
<Data><?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ExtranetLockoutAudit">
<AuditType>ExtranetLockout</AuditType>
<AuditResult>Failure</AuditResult>
<FailureType>ExtranetLockoutError</FailureType>
<ErrorCode>AccountRestrictedAudit</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>http://fs.contoso.com/adfs/services/trust</RelyingParty>
<ClaimsProvider>N/A</ClaimsProvider>
<UserId>CONTOSO\user</UserId>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>N/A</Server>
<AuthProtocol>WSFederation</AuthProtocol>
<NetworkLocation>Extranet</NetworkLocation>
<IpAddress>64.187.173.10</IpAddress>
<ForwardedIpAddress>64.187.173.10</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>ADFS2016PROXY2</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36</UserAgentString>
<Endpoint>/adfs/ls/</Endpoint>
</Component>
<Component xsi:type="LockoutConfigAuditComponent">
<CurrentBadPasswordCount>5</CurrentBadPasswordCount>
<ConfigBadPasswordCount>5</ConfigBadPasswordCount>
<LastBadAttempt>05/21/2018 00:55:05</LastBadAttempt>
<LockoutWindowConfig>00:30:00</LockoutWindowConfig>
</Component>
</ContextComponents>
</AuditBase></Data>
</EventData>
</Event>
Observing User Activity
AD FS provides powershell cmdlets to view and manage user account activity data. To read the current account activity for a user account. Use the cmdlet below
PowerShell
PS C:\>Get-ADFSAccountActivity user@contoso.com
Example output
Identifier : CONTOSO\user
BadPwdCountFamiliar : 0
BadPwdCountUnknown : 0
LastFailedAuthFamiliar : 1/1/0001 12:00:00 AM
LastFailedAuthUnknown : 1/1/0001 12:00:00 AM
FamiliarLockout : False
UnknownLockout : False
FamiliarIps : {}
The current activity output contains the following data:
Identifier: this is the username
BadPwdCountFamiliar: this is the current count of incorrect password login attempts from IP addresses that were on the list of “FamiliarIps” at the time of the attempt
BadPwdCountUnknown: this is the current count of incorrect password login attempts from IP addresses that were not on the list of “FamiliarIps” at the time of the attempt
LastFailedAuthFamiliar: this is the time of the last incorrect password login attempt from an IP address that was on the list of “FamiliarIps” at the time of the attempt
LastFailedAuthUnknown: this is the time of the last incorrect password login attempt from an IP address that was not on the list of “FamiliarIps” at the time of the attempt
FamiliarLockout: this indicates if the user is currently in a state of lockout for correct password attempts from from IP addresses on the list of “FamiliarIps”
UnknownLockout: this indicates if the user is currently in a state of lockout for correct password attempts from from IP addresses not on the list of “FamiliarIps” FamiliarIps: this is the current list of familiar IP addresses for the user
Comments
Post a Comment