Active Directory (AD) is a primary target for attackers due to its central role in enterprise authentication and authorization. Password attacks against AD often represent an initial access vector, potentially leading to more severe compromises. A layered defense approach is necessary for robust protection. This document outlines strategies to defend AD against such attacks.

Close up of a hashed out password

Understanding Password Attacks Against Active Directory

What Are Password Attacks?

Password attacks involve automated software systematically attempting username and password combinations until a valid pair is found. Common types include:

  • Dictionary Attacks: Use lists of common words, phrases, or previously compromised passwords.
  • Pure Brute Force: Attempt all possible character combinations, a computationally intensive method.

FEATURED DOWNLOAD

PowerShell Commands for AD Lockouts

10 PowerShell commands every admin needs
Unlock users & find lockout sources instantly

Download our FREE Cheat Sheet

Why Active Directory Is Targeted

AD’s position as the central authentication service for most enterprise resources makes it a high-value target. Successful authentication can grant access to servers, workstations, applications, and data. Password reuse between on-premises AD and connected cloud services, like Microsoft 365, expands the attack surface.

Common Attack Vectors

  • Direct authentication attempts against domain controllers (e.g., Kerberos, NTLM).
  • Authentication attempts in hybrid Azure AD environments, targeting synchronized accounts.
  • Exploitation of legacy authentication protocols (e.g., IMAP, POP3, and Basic Authentication on web services like Exchange) that may not support modern lockout mechanisms or MFA effectively.

Account Lockout Cascades

Automated password attacks can trigger account lockouts across numerous user accounts. In hybrid environments, this can affect access to both on-premises and cloud resources, causing substantial business disruption. Security incidents often reveal scenarios where password attacks lead to multiple user account compromises. A recurring theme is the difficulty of maintaining strong security controls without negatively affecting user productivity, especially when frequent lockouts overwhelm help desks.

Core Defense Strategies

A strong defense requires a multi-layered approach, starting with fundamental password policies and extending to advanced technical controls.

Password Security Foundation

Configure Group Policy Objects (GPOs) to enforce robust password requirements.

  • Enforce Complexity: Block common passwords, dictionary words, and sequential keyboard patterns (e.g., “qwerty,” “12345”). Consider tools or scripts to build and enforce custom blocklists relevant to your organization.
  • Set Minimum Length: Use a minimum password length of at least 15 characters for standard user accounts.
  • Require Character Variety: Mandate a mix of uppercase letters, lowercase letters, numbers, and special characters.
  • Secure Privileged Accounts: Enforce longer minimum lengths (e.g., 30+ characters) and higher complexity for service accounts and administrative accounts.
  • Regularly Review Policies: Review and update password policies to align with current best practices.

You can configure the Default Domain Password Policy using PowerShell. For example, to set minimum password length, history, and maximum age:

# Replace "yourdomain.com" with your actual domain FQDN
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MinPasswordLength 15 -PasswordHistoryCount 24 -MaxPasswordAge 90.00:00:00 -ComplexPasswords $true -ReversibleEncryption $false

Integrate systems that check user passwords against databases of known breached credentials.

  • Utilize tools like Azure AD Password Protection (for on-premises AD with password hash sync) or third-party solutions.
  • Automate notifications or force password resets when a user’s current password appears in a breach database.

Authentication Controls

  • Deploy Multi-Factor Authentication (MFA): MFA is an important part of an effective password security strategy, however it can be ineffective against brute force attacks causing account lockouts depending on the specific configuration.
    • Deploy MFA for all user accounts, prioritizing administrative accounts, remote access (VPN, RDP gateways), and cloud service access.
    • Be aware that most MFA solutions do not protect legacy Exchange protocols like EWS, ActiveSync, and Autodiscover. Also, many popular MFA solutions leave the OWA protocol open to password guessing attacks and resulting account lockouts. Tools like Messageware EPG can supplement MFA by securing these vulnerable endpoints, providing a more complete defense.
    • Use Conditional Access policies in Azure AD to enforce MFA based on user, location, device, or risk.
    • Support a range of MFA methods: authenticator apps (OTP), FIDO2 security keys, biometrics, or smart cards.
    • Educate users about MFA fatigue attacks (where an attacker overwhelms a user with push notifications) and how to report them.
  • Configure Account Lockout Policies: Thwart automated password attack attempts by configuring account lockout policies in your domain.
    • On-Premises AD: Navigate to Group Policy Management > Forest > Domains > [Your Domain] > Default Domain Policy (or a more specific password policy GPO). Edit the policy and go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
    • Configure:
      • Account lockout threshold: Number of failed attempts before lockout (e.g., 5-10 attempts).
      • Account lockout duration: How long the account remains locked (e.g., 30 minutes or require administrator unlock).
      • Reset account lockout counter after: Time after which the failed attempt count resets (e.g., 30 minutes).
    • While essential, native AD lockouts can cause significant disruption for legitimate users during a brute-force attack. Specialized tools like Messageware EPG can intelligently identify and stop password attacks before they trigger mass AD lockouts by using an independent lockout system, protecting user productivity and reducing help desk load.
  • Implement CAPTCHA: For web-based interfaces that authenticate against AD (e.g., OWA, password reset portals, ADFS extranet access), implement CAPTCHA to prevent automated scripts from submitting login attempts. Solutions like Messageware EPG can add Dynamic CAPTCHA to Outlook Web and ECP logon pages, which appears based on configurable security triggers.
  • Secure the Built-in Administrator Account: The built-in “Administrator” account (RID 500) is a common target and cannot be locked out, making it vulnerable to password spraying.
    • Rename the default Administrator account to a non-obvious name.
    • Set a very long, complex, and unique password for this account.
    • Create a decoy “Administrator” account with no privileges and strong auditing. Any login attempt against this decoy account is a strong indicator of malicious activity.
  • Move Toward Passwordless Authentication: Reduce reliance on passwords to mitigate associated risks.
    • Windows Hello for Business: Uses biometrics or a PIN, backed by TPM-protected credentials, for strong authentication.
    • FIDO2 Security Keys: Hardware security keys providing phishing-resistant MFA or passwordless sign-in.
    • Certificate-Based Authentication: Deploy a Public Key Infrastructure (PKI) for smart card authentication.

Technical Implementation Guide

Network Security

  • Isolate Domain Controllers: Place Domain Controllers (DCs) in dedicated, secure network segments (e.g., a Tier 0 management VLAN) and use strict firewall rules to regulate traffic.
  • Leverage Organizational Units (OUs): Use a well-designed OU structure to apply targeted security policies via GPOs.
  • Monitor and Block Malicious IPs: Use SIEM systems to analyze login event logs (Event ID 4625 for failed logons, 4624 for successful logons). Set up alerts for high volumes of failed logins from a single IP or logins from geographically improbable locations. Tools like Messageware EPG automate this by providing real-time geo-blocking and banning of malicious IPs based on live threat intelligence feeds.
  • Use a Web Application Firewall (WAF): If web applications like Outlook Web Access or SharePoint authenticate against AD, protect them with WAFs to inspect traffic, apply rate limiting to login pages, and block known attack patterns.

Legacy Protocol Management

  • Disable Basic Authentication: Basic Authentication sends credentials in a less secure manner and often bypasses modern MFA controls. Prioritize disabling Basic Auth in Exchange Online and on-premises systems.
  • Restrict Vulnerable Protocols: Where legacy protocols like IMAP, POP3, and SMTP AUTH cannot be disabled, restrict their use. For on-premise Exchange environments, solutions like Messageware EPG provide critical protection by monitoring and controlling logon activities across nine key Exchange protocols, securing them against attacks even if they still rely on Basic Auth.
  • Disable Outdated Protocols:
    • SMBv1: This protocol has known vulnerabilities. Remove it completely from your environment using PowerShell.
    • NTLM: While NTLMv2 is more secure than its predecessors, Kerberos is preferred. Audit and restrict NTLM usage via GPO, working towards a Kerberos-only environment where feasible.

Monitoring and Detection

Enable Advanced Auditing

Configure advanced audit policies via GPO to capture relevant security events.

  • Account Logon: Audit Kerberos Authentication Service and Service Ticket Operations.
  • Logon/Logoff: Audit Logon (especially Event ID 4625 for failures) and Account Lockout (Event ID 4740).
  • Centralize Logs: Collect these logs centrally using Windows Event Forwarding (WEF) to a SIEM or log management solution for analysis and retention.

Deploy Real-Time Analysis Tools

  • Use Identity Protection Solutions: Deploy tools that provide real-time analysis and alerting. Microsoft Defender for Identity (MDI) is a cloud-based solution that monitors DC traffic and uses behavioral analytics to detect suspicious activities.
  • Leverage Specialized Tools: On-premise security can be enhanced with tools designed to detect patterns that standard policies might miss. Messageware EPG provides advanced logon intelligence to detect both high-volume (brute-force) and low-volume, persistent attacks that fly under the radar of typical AD lockout thresholds. Its real-time reporting and automatic alerts significantly reduce detection and response times.
  • Analyze Login Patterns: Use SIEM queries or scripts to identify accounts with a high number of failed logins, source workstations generating attacks, and time-based anomalies.

Hybrid Environment Considerations

For organizations with hybrid AD environments, on-premises security directly impacts cloud security.

  • Secure Azure AD Connect: If using Password Hash Synchronization (PHS), strong on-premises password policies are essential, as the on-premises AD remains the authority.
  • Use Azure AD Smart Lockout: This feature uses cloud intelligence to differentiate between legitimate sign-in attempts and attacks, locking out attackers while allowing legitimate users to continue accessing their accounts.
  • Leverage Conditional Access: Use Azure AD Conditional Access policies to enforce granular controls based on device compliance, location, and sign-in risk.
  • Implement Azure AD Identity Protection: For advanced risk detection (requires Azure AD Premium P2), use this feature to automatically detect and remediate identity-based risks like leaked credentials, sign-ins from anonymous IPs, and password spray attacks.

Key Takeaways to Protect Active Directory

Incident Response and Recovery

  • Password Attack Detection: Early detection is key. Monitor for high rates of failed logins (Event ID 4625) and account lockouts (Event ID 4740). Utilize SIEM alerts and identity protection tools. Consider specialized tools like Messageware EPG to intelligently block attacks in real time, preventing widespread AD account lockouts and reducing help desk load.
  • Account Unlock Procedures: Have defined procedures for unlocking accounts. Help desk staff should always verify user identity before unlocking an account.
  • Backup and Recovery Plan: Maintain secure, offline, and encrypted backups of Active Directory. Regularly test AD recovery procedures to verify backup integrity and ensure staff are familiar with the process.

Best Practices Summary

  • Layered Security Approach: No single solution is foolproof. Employ multiple, complementary defense mechanisms, from strong password policies and MFA to network segmentation and real-time monitoring.
  • User Education and Awareness: Train users to create strong, unique passwords, recognize and report phishing attempts, and report any suspicious account activity or lockout issues promptly.
  • Continuous Improvement: The threat environment changes constantly. Regularly review and update AD security policies, stay informed about new attack techniques, and adapt security measures to address emerging threats.

Defending Active Directory from password attacks requires ongoing effort and a multi-layered strategy. Attack methods evolve, making proactive security measures far more effective than reactive responses. Building a resilient AD security posture through consistent application of best practices, robust monitoring, and rapid response capabilities is fundamental for the long-term protection of your enterprise resources.

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.