Tip of the Day: Active Directory Federation Services (ADFS) 2012 R2 Soft Lockout

For companies that have low account lockout thresholds, adding an AD FS proxy to their DMZ (which is required for Exchange Online) exposes a Denial of Service method.  Many companies have their email addresses set as their UPN and executive emails are well known.  This gives an attacker a method to lock executives out of their accounts at any time and as often as they would like.

In 2012 R2, AD FS adds the ability to soft lockout an account.  The administrator can set a threshold that is lower than the domain's account lockout threshold so that any additional password attempts that go through the proxy are never attempted, keeping the user's account active.  Enabling this feature and setting the threshold is easy through Windows PowerShell

ExtranetLockoutEnabled - enables or disables soft lockout

ExtranetLockoutThreshold - number of bad attempts allowed before soft lockout

ExtranetObservationWindow - lockout time frame