What are Windows cached credentials?
The purpose of Windows cached credentials is to enable users to log into their accounts and access network resources even when the authentication server is unavailable, such as during offline use, while also improving login performance by reducing the need for frequent server authentications.
Cached credentials are stored locally on a user’s computer in Windows Credential Manager so that they can log on to a domain even if the domain controller is unavailable. This is useful in situations where the user is working in a remote location and the domain controller is not reachable. However, it can also lead to account lockouts if the user’s password changes, and the cached credentials are not updated.
What causes the account to lockout?
Here is an example of how cached credentials can cause Active Directory account lockouts:
- A user logs on to a domain controller and their credentials are cached locally.
- The user changes their password on a different computer, or it may be reset by an Administrator using the Active Directory Users and Computers console.
- The user tries to log on to a domain controller using their old password.
- The domain controller rejects the login attempt because the password is incorrect.
- The user continues to try to log on using their old password, which the domain controller continues to reject.
- After a certain number of failed login attempts, the user’s account is locked out.
The reason why this happens is that Credential Manager only knows the user’s old password, while the domain controller only knows the user’s new password. So, when the user tries to log on using their old password, the domain controller thinks that the user is trying to guess or brute force their account.
Could Outlook or OWA cause AD account lockouts?
Outlook or Outlook Web Access (OWA) can potentially cause an Active Directory account lockout. This can happen in several scenarios:
- Incorrect Credentials: If an email client is configured with outdated or incorrect credentials and it attempts to connect to the server multiple times, it can trigger the account lockout policy in Active Directory. This is a common issue when a user changes their AD password but does not update it in their email client.
- Stored Credentials: If a user has stored their credentials in the email client or in the operating system’s credential manager, and these credentials become outdated (like after a password change), the email client might continuously try to authenticate with the old credentials, leading to account lockout.
- Mobile Devices and Apps: If a user has their email account configured on a mobile device or app, and the device tries to connect with old credentials, this can also cause account lockouts.
- Multiple Sessions: In some cases, having multiple active sessions or connections to the email server (e.g., multiple devices or browser tabs) might result in repeated authentication failures, potentially triggering a lockout.
What can be done to prevent account lockouts due to cached credentials?
- Set the Maximum Simultaneous Logon Attempts policy to a low value, such as 3 or 5. This will prevent users from making too many failed login attempts in a short period of time.
- Configure the Stored User Names and Passwords policy to only store the user’s password for a short period of time, such as one hour. This will ensure that the cached credentials are expired, and the user is prompted shortly after a user changes their password.
- Implement a policy to sync passwords across all devices and services can also help ensure cached credentials are updated periodically.
- Consider implementing single sign-on (SSO) solutions, which can help manage authentication more efficiently and reduce the likelihood of such lockouts.
In addition to these preventive measures, it is also important to monitor your Active Directory environment for account lockouts. If you see a sudden increase in account lockouts, it could be a sign that there is a problem with cached credentials.
How to check for account lockouts using Event Viewer
To check Windows Server event logs for an account lockout, you can use the Event Viewer, a built-in tool in Windows Server that logs every significant action including account lockouts. Account lockouts are typically logged in the Security log. Here’s a step-by-step breakdown how to check for account lockout events.
Additional tools to monitor your Active Directory environment for account lockouts:
- Microsoft Account Lockout Status Tool (LockoutStatus.exe): This tool helps identify and troubleshoot user account lockouts by gathering and displaying account lockout information from all Domain Controllers.
- Microsoft Advanced Threat Analytics (ATA): ATA is a cloud-based service that can be used to detect and respond to threats to your Active Directory environment. ATA can detect account lockouts and other suspicious activity.
- Security Information and Event Management (SIEM): A SIEM is a software solution that collects and analyzes security logs from multiple sources. SIEM can be used to detect account lockouts and other suspicious activity across your entire IT environment.
Each tool offers different features, from basic log analysis to comprehensive monitoring and alerting capabilities, so the choice depends on the specific needs and complexity of your IT environment.
By following these preventive measures and monitoring your Active Directory environment for account lockouts, you can help to protect your organization from the security risks posed by cached credentials.
Preventing Active Directory account lockouts with a third-party solution
Active Directory (AD) lockouts, create havoc in your support center, and lead to stolen credentials that are used to compromise corporate networks.
With a third-party solution you can easily add protection to all Exchange Servers. Messageware Exchange Protocol Guard (EPG) provides advanced logon intelligence and control for Microsoft Exchange Servers by monitoring potential risks from attacks against Exchange Server Services. These services are unprotected, even if you are using 2FA / MFA solutions. Hackers probe for exploitable Exchange Services leading to attacks like brute force password guessing, password spraying, and Denial of Service (DoS).
EPG maintains a lockout system independent of Active Directory. By providing Dynamic CAPTCHA to challenge users and bots, EPG eliminates the ability to password spray and as a result, scripted attacks cannot increase users Active Directory lockout counts.
Messageware is a leading provider of products for Microsoft Exchange Server, OWA, 365.