As per the following articles, I would recommend the following lockout settings
https://technet.microsoft.com/en-us/library/cc671957(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx
Identifying the source of the account lockouts in a complex environment will be virtually impossible without auditing enabled.
Please note: Only events that occurred after enabling auditing will be logged. It also might be necessary to increase Security log file size
In addition to the above, the following might provide some extra clues to the source of the lockout. After setting these values, additional logs can be found in Event Viewer, Applications and Services Log/Microsoft/Windows/NTLM
Path: Computer Configuration\Windows Settings\Local Policies\Security Options
Setting: Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
Value: Enable auditing for all accounts
Setting: Network security: Restrict NTLM: Audit NTLM authentication in this domain
Value: Enable All
Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465
Still a useful tool in a pinch.
Please note: Built-in search for account lockout is not using the newer event IDs. To search newer IDs, add 4625 4740 4771 4768 4776 to the list
For details on these events, see
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=676
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=681
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
All gathered events from selected domain controllers will be saved into text files in the temp folder
Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465
When you start tool you specify the user account to inspect.
Please note: If the lock device is a Domain Controller, you have to follow the trail until you get to the actual source device name
See https://www.manageengine.com/products/active-directory-audit
My personal favorite, AD Audit makes finding the source account that locks device super easy, just use built-in reports
See https://www.netwrix.com/account_lockout_examiner.html
Install NetWrix Account Lockout Examiner on another computer. After that run it and point to the device that generates lockouts.
See https://www.manageengine.com/products/active-directory-audit
As I said before, my personal favorite. After finding source account that locks device using built-in reports, the Account Lockout Analyzer can show the source process that locks accounts
5.4 LAN Manager Authentication Level
Ensure that your LAN Manager Authentication Level is at the required level for your clients and authentication used.
5.5 Externally Exposed RDP
Install a tool such as RDP Guard to automatically block external brute-force attacks or better yet, set up a secure VPN and access RDP from within this VPN
5.6 Credential Manager
Disable the Credential Manager service. This will prevent users from saving/using stored passwords
5.7 Cached Credential
Remove cached credentials for both user and SYSTEM accounts
For user accounts
rundll32.exe keymgr.dll,KRShowKeyMgr
For SYSTEM accounts
psexec -s -i -d rundll32.exe keymgr.dll,KRShowKeyMgr
Tips
If your account that you are using for the investigation is locking, rename your username for the duration of the investigation
Please do not forget to press the "Thumbs Up" button if this article was helpful and valuable for EE members.
It also provides me with positive feedback. Thank you!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (19)
Commented:
Thanks for sharing !
Commented:
Commented:
I constantly debate with colleagues about password and lockout policies and how most hinder productivity and provide less security. I sure wish I'd had your article to reference. I do now.
Commented:
Regarding the Resetting the cached Creds for SYSTEM accounts
Open in new window
Why do you need to use PSExec if you can do it using the cmd prompt RunDLL32.exe ?
Disable the Credential Manager service.
Does that can also reset or clear the currently saved credentials within the local OS or just Microsoft Application only?
Author
Commented:No, it does not clear existing saved credentials
View More