Stop Domain Controller Brute Force Attacks

TL;DR

Brute force attacks against your domain controller try many usernames and passwords to gain access. This guide shows you how to detect, prevent, and respond to these attacks using account lockout policies, multi-factor authentication (MFA), intrusion detection systems (IDS), and monitoring.

1. Understand the Threat

Brute force attacks are a common way attackers try to compromise Active Directory. They use automated tools to guess credentials repeatedly. Successful attacks can lead to data breaches, ransomware, or complete system control.

2. Implement Account Lockout Policies

1. Configure Lockout Threshold: Set the number of invalid login attempts before an account is locked. A value between 5-10 is a good starting point.
2. Set Lockout Duration: Determine how long an account remains locked (e.g., 30 minutes).
3. Reset Account Lockout Cache: Configure the time before the lockout counter resets after successful login attempts.

You can configure these settings using Group Policy:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

3. Enable Multi-Factor Authentication (MFA)

MFA adds an extra layer of security, making brute force attacks much harder. Even if an attacker guesses the password, they still need a second factor (e.g., code from an authenticator app).

• Azure MFA: If you use Azure Active Directory, enable MFA for all users, especially administrators.
• Third-Party MFA Solutions: Consider solutions like Duo Security or Okta if you don’t use Azure AD.

4. Monitor Login Attempts

Regularly monitor login events to identify suspicious activity.

• Event Viewer: Check the Security event log for Event IDs 4625 (failed login) and 4624 (successful login).
• PowerShell Scripting: Use PowerShell to automate monitoring. For example, to find failed logins in the last hour:

  Get-WinEvent -LogName Security | Where-Object {$_.ID -eq 4625 -and $_.TimeCreated -gt (Get-Date).AddHours(-1)} | Format-Table TimeCreated, AccountName, SourceNetworkAddress

• SIEM Solutions: Implement a Security Information and Event Management (SIEM) system like Splunk or ELK Stack to collect and analyze logs from multiple sources.

5. Use Intrusion Detection Systems (IDS)

An IDS can detect brute force attempts based on patterns of failed logins.

• Network-Based IDS: Monitor network traffic for suspicious login activity.
• Host-Based IDS: Monitor the domain controller itself for unusual processes or events.

6. Block Suspicious IP Addresses

If you identify an IP address repeatedly attempting failed logins, block it at your firewall.

• Firewall Rules: Create rules to deny traffic from the offending IP address.
• Automated Blocking: Some SIEM solutions can automatically block IPs based on predefined thresholds.

7. Regularly Audit User Accounts

Review user accounts for unnecessary privileges or inactive accounts.

• Disable Inactive Accounts: Remove accounts that are no longer used.
• Principle of Least Privilege: Grant users only the permissions they need to perform their job duties.

8. Consider Just-In-Time (JIT) Access

JIT access provides temporary administrative privileges only when needed, reducing the attack surface.

9. Keep Your Systems Updated

Regularly patch your domain controllers and other systems to address security vulnerabilities.