Home > Forefront TMG 2010, Threat Management Gateway > Forefront TMG 2010 Account Lockout Feature for FBA

Forefront TMG 2010 Account Lockout Feature for FBA

June 15, 2012

Consider a scenario in which you have published your Exchange 2010 Outlook Web App servers using Forefront TMG 2010 and are using Active Directory or LDAP authentication along with Forms-based Authentication (FBA). In an effort to gain access to the system, an attacker may perform a brute force password attack by either manual or programmatic means. The attacker will attempt to guess the password for a given user until they reach the configured account lockout threshold as defined in Active Directory. Once this happens, the attacker will have to wait for the password to unlock automatically or be unlocked by an administrator depending on your security policy. Effectively this results in a Denial of Service (DoS) because the legitimate user is unable to authenticate when this happens.

To address this concern, Forefront TMG SP2 includes a feature that allows administrators to enforce an account lockout policy on the Forefront TMG firewall itself. When configured with thresholds lower than those configured in Active Directory, this feature provides valuable protection from DoS that result from unsuccessful password guessing attempts. To enable this feature, install Forefront TMG 2010 SP2, and then follow these detailed instructions.

  1. Armando Valdés
    November 27, 2012 at 7:46 pm


    The account lockout feature is a good news. However the link to “follow these detailed instructions” reports a missing link.

    Thanks in advances.

  2. November 28, 2012 at 11:03 am

    Thanks for pointing that out. I’ve updated the post with a new link. Thanks! 🙂

  3. Davis Kwan
    November 30, 2012 at 11:31 am

    Great info! Btw, is there a way to check who is locked out on the TMG and also how do we “unlock” the account on the TMG?


  4. November 30, 2012 at 12:57 pm

    Great question, and unfortunately I don’t know. I’ll do some research and post something back here if I find any more details.

  5. November 30, 2012 at 1:18 pm

    More information: When this feature is enabled and a user is locked out by TMG an alert will be recorded. However, there is no way to “unlock” this users. Your only option is to wait for the account lockout expiration period to lapse.

  6. Olympia Stoica
    March 14, 2013 at 11:55 am

    Would this feature help with the following scenario?

    Problem statement: when the domain user account password is being changed, unless the user immediately updates it on his/her Apple or Android device, this device will try to authenticate against AD with this now outdated password and locks the account out. We have instances where a user will change their password while in the office, and have his/her iPad (left at home) lock them out constantly. This floods our security logs with failed login attempts, creating so much noise that we might not see something that is truly worrisome.

    The way you’d expect it to work (logically): user changes AD password on the laptop … when Apple/Android device tries to connect, AD notices the password is invalid and prompts device to provide credentials … or deny connection.

    Environment: Exchange 2010 SP2 RU6, 2008 AD compatibility mode, TMG 2010 SP2

  7. March 15, 2013 at 4:24 am

    Yes. In fact, that is what this feature is designed for. In this scenario, users will only be locked on the Forefront TMG 2010 firewall, but their AD account will not. Once they determine they can’t access mail from their mobile device they’ll update their password and all should be well after that. 🙂

  8. Olympia Stoica
    March 15, 2013 at 8:22 am

    Thank you. Thank you. Thank you. This has been a big problem and my team has been looking for a solution.

  9. Jack Dobbs
    June 16, 2013 at 3:56 pm

    Is it possible to overcome TMG’s default security settings using brute force attacks?

  10. June 17, 2013 at 8:06 am

    Anything is possible, but if the Forefront TMG 2010 is properly configured and implemented using security best practices it is highly unlikely.

  11. Val
    July 18, 2013 at 10:45 am

    Anyone Knows if is possible to unlock users after I implemente this feature ?

  12. July 22, 2013 at 1:26 pm

    It is not possible to proactively unlock users on the TMG firewall. Users will automatically be unlocked after the AccountLockoutResetTime expires.

  1. January 6, 2015 at 1:11 pm
  2. January 8, 2015 at 5:18 pm
  3. January 23, 2015 at 12:21 am
Comments are closed.