Account Lockout and Password Concepts
Applies To: Windows Server 2003 with SP1
Passwords are an important step in a security plan for your network. Users may see passwords as a nuisance; however, the security of your enterprise relies on a combination of password length, password uniqueness, and password lifespan. These three items help defend against dictionary attacks and brute force attacks. A dictionary attack occurs when a malicious user tries known words that are in the dictionary and a number of common password names to try and guess a password. A brute force attack occurs when a malicious user tries all of the possible permutations until one is successful.
Because most users prefer passwords that they can easily remember, dictionary attacks are often an effective method for a malicious user to find a password in significantly less time than they would with brute force attacks. Therefore, the strength of a password depends on how many characters are in the password, how well the password is protected from being revealed by the owner, how well the password is protected if it is intercepted by a malicious user on the network, and how difficult the password is to guess. Even good passwords that are protected by cryptography on the network and that are not subject to dictionary attacks can be discovered by brute force in a few weeks or months by a malicious user who intercepts the password on the network.
Currently, several attack methods are based on guessing weak passwords by using dictionary and brute force attacks. For a few simple ways to help prevent these attacks, see "Protecting from External Lockout Denial of Service Attacks" in this document for ports to block and registry values that you can set to help prevent such attacks.
Frequently, a malicious user will guess a number of passwords during a password-based attack. To help prevent the attacks from being successful, you can configure account lockout settings. The result of this configuration is that the associated account is temporarily disabled after a specified number of incorrect passwords are tried. This helps to prevent a successful attack by preventing the account from being used. However, a legitimate user cannot use that account until it is unlocked. This paper discusses the balance between the benefits and risks of account lockout.
Understanding Password Complexity
A complex password that is enforced by the operating system is one of the most effective methods that you can use to deter the opportunity for a successful attack. When you configure both an expiration time and a minimum length for a password, you decrease the time in which a successful attack could occur. For example, when you enforce password complexity with a password length of 6 and set the password to expire in 60 days, a user can choose from a permutation of:
26 lowercase characters
26 uppercase characters
32 special characters
This means that:
26 + 26 + 32 + 10 = 94 possible characters in a password
Password length policy = 6
946 = 689,869,781,056 unique password permutations
With a 60-day password expiration time, the malicious user would have to make 133,076 password attempts every second to attempt all of the possible passwords during that password's limited lifetime. If it takes only 50 percent of the permutations to guess the password, a malicious user would have to attempt to log on to the computer about 66,538 (133,076 * .50) times every second to discover the password before it expires.
To decrease the chances that a malicious user has to discover the password, you can use a password length of 7. When you set the minimum password length to 7, the possible password permutations exceed 64 trillion (947= 64,847,759,419,264). When you compare the calculations above that have a password length of 6 to the calculations below that have a password length of 7, you will notice that the malicious user would have to log on to the computer about 6,254,606 times for each second that the password is valid in the 60-day expiration time that you set.
The following list describes how increasing password length deters both dictionary and brute force attacks. Note that the examples that are in this list assume that you are have applied a policy that requires users to create complex passwords. When you do this, there are 94 possible characters from which the users can choose their password.
6 characters: 946 = 689,869,781,056
7 characters: 947 = 64,847,759,419,264
8 characters: 948 = 6,095,689,385,410,816
9 characters: 949 = 572,994,802,228,616,704
10 characters: 9410 = 53,861,511,409,489,970,176
A few of these password possibilities are not valid. By default, users cannot choose any part of their user name for their password and they cannot use all of the same characters as a password. Because of this, these password possibilities must be deducted from the total number of possible passwords that are listed above. Because there are very few passwords that apply to these exceptions and because the number of passwords that do apply to these exceptions can vary (based on the number of letters that are in the user's logon name), this document does not account for these exceptions.
These statistics explain how difficult it is for a malicious user to discover a password when you require the users in your network to use a complex password. Because of this, Microsoft recommends that you enforce a complex password policy that requires users to choose passwords with a specific number of characters for the security needs of your organization. The "Password Policies Settings" section in this document describes the complex password policies and settings for Microsoft® Windows NT® Server 4.0, the Windows® 2000 family, and the Windows Server 2003 family of operating systems.
Microsoft recommends that you use the account lockout feature to help deter malicious users and some types of automated attacks from discovering user passwords. The following section provides more information about how you can use the account lockout feature.
Authentication is the process of validating a user name and password on a domain controller for:
The initial logon to either a workstation or domain that uses the CTRL+ALT+DELETE secure logon sequence.
An attempt to unlock a locked workstation by using the CTRL+ALT+DELETE secure logon sequence.
An attempt to type a password for a password-protected screen saver.
A user, script, program, or service that attempts to connect to a network resource by using either a mapped drive or a Universal Naming Convention (UNC) path.
An account that is locked out may still be able to gain access to some resources if the user has a valid Kerberos ticket to the resource. The ability to access the resource ends when the Kerberos ticket expires. However, neither a user who is locked out nor a computer account can renew the ticket. Kerberos cannot grant a new ticket to the resource because the account is locked out.
There are two primary authentication protocols used by Windows: NTLM and Kerberos. This paper assumes you are familiar with these authentication protocols and does not focus on authentication details. Instead, the focus is placed on how authentication plays a role in account lockout. For more information about authentication protocols, see online help in Windows XP and the Windows Server 2003 family.
How Domain Controllers Verify Passwords
To illustrate the authentication process, the following diagram describes the steps that occur when a logon attempt does not work.
Figure 1: Process for a Failed Logon Attempt
The client computer presents the user logon information to a domain controller. This includes the users account name and a cryptographic hash of their password. This information can be sent to any domain controller and is typically sent to the domain controller that is identified as the closest domain controller to the client computer.
When a domain controller detects that an authentication attempt did not work and a condition of STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE, or STATUS_ACCOUNT_LOCKED_OUT is returned, the domain controller forwards the authentication attempt to the primary domain controller (PDC) emulator operations master. Essentially, the domain controller queries the PDC to authoritatively determine if the password is current. The domain controller queries the PDC for this information because the domain controller may not have the most current password for the user but, by design, the PDC emulator operations master always has the most current password.
The authentication request is retried by the PDC emulator operations master to verify that the password is correct. If the PDC emulator operations master rejects the bad password, the PDC emulator operations master increments the badPwdCount attribute for that user object. The PDC is the authority on the user's password validity.
The failed logon result information is sent by the PDC emulator operations master to the authenticating domain controller.
The authenticating domain controller also increments its copy of the badPwdCount attribute for the user object.
The authenticating domain controller then sends a response to the client computer that notifies the domain controller that the logon attempt did not work.
As long as that user, program, or service continues to send incorrect credentials to the authenticating domain controller, logon attempts that failed because of an incorrect password continue to be forwarded to the PDC until the threshold value for incorrect logon attempts is reached (if you set it in a policy). When this occurs, the account is locked out.
For more information, see "How the Bad Password Count Is Incremented in Windows NT" in the Microsoft Knowledge Base.
New Features in the Windows Server 2003 Family
In the Windows Server 2003 family of operating systems, Microsoft has improved the function of the Account Lockout feature on both servers and client computers.
Computers Running Windows Server 2003 That Act As Network Servers
To improve the experience for users and to decrease the overall total cost of ownership, Microsoft made the following changes to the behavior of domain controllers in the Windows Server 2003 family:
Password history check (N-2): Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error.
Single user object on demand replication: See the "Urgent Replication" section in this document for more information.
Optimized replication frequency: The default frequency for replication between sites is to replicate every 15 minutes with a 3-second offset to stagger the replication interval. This optimization improves the replication of a password change in a site because it decreases the chances that the domain controller would have to contact the PDC operations master.
Computers Running Windows Server 2003 Family Acting As Network Clients
Microsoft has added the following features in the Windows Server 2003 family to gather the process ID that is using the credentials that fail authentication:
Auditing logon changes: There are entries for all logon and logoff events (528 and 540, as well as 529 through 539).
Auditing of processes encountering authentication failures: New information is added to the Security event log when authentication failures occur:
Caller User Name
Caller Logon ID
Caller Process ID
To use the process ID, turn on success auditing for Audit process tracking events so that you can obtain the process identifier (PID) for the associated Event 592. If you do not do this, the PID is not useful after the process stops. To view audit process tracking, in the Group Policy Microsoft Management Console (MMC), in the console tree, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
Microsoft has added the following administrative enhancements to provide more account lockout information than the information that is available in the default configuration of the Windows Server 2003 family:
AcctInfo.dll: The AcctInfo.dll file is a property page extension for user objects in the Active Directory Users and Computers MMC that provides detailed information about user password attributes. An administrator can use the AcctInfo.dll file to reset user account passwords on a domain controller that is in the user's Active Directory site.
LockoutStatus.exe: The LockoutStatus.exe tool displays bad password count and time information from all of the domain controllers that are in a domain. You can run this tool as either a stand-alone tool or as an extension to the AcctInfo.dll file when you place it in the Systemroot\System32 folder on your computer.
More information about both AcctInfo.dll and LockoutStatus.exe is available in "Account Lockout Tools" in this document.