Forefront TMG 2010 Account Lockout Feature for FBA
Consider a scenario in which you have published your Exchange 2010 Outlook Web App servers using Forefront TMG 2010 and are using Active Directory or LDAP authentication along with Forms-based Authentication (FBA). In an effort to gain access to the system, an attacker may perform a brute force password attack by either manual or programmatic means. The attacker will attempt to guess the password for a given user until they reach the configured account lockout threshold as defined in Active Directory. Once this happens, the attacker will have to wait for the password to unlock automatically or be unlocked by an administrator depending on your security policy. Effectively this results in a Denial of Service (DoS) because the legitimate user is unable to authenticate when this happens.
To address this concern, Forefront TMG SP2 includes a feature that allows administrators to enforce an account lockout policy on the Forefront TMG firewall itself. When configured with thresholds lower than those configured in Active Directory, this feature provides valuable protection from DoS that result from unsuccessful password guessing attempts. To enable this feature, install Forefront TMG 2010 SP2, and then follow these detailed instructions.
Connect
Richard Hicks' Forefront TMG Blog 
Hello.-
The account lockout feature is a good news. However the link to “follow these detailed instructions” reports a missing link.
Thanks in advances.
Thanks for pointing that out. I’ve updated the post with a new link. Thanks! 🙂
Great info! Btw, is there a way to check who is locked out on the TMG and also how do we “unlock” the account on the TMG?
Thanks
Great question, and unfortunately I don’t know. I’ll do some research and post something back here if I find any more details.
More information: When this feature is enabled and a user is locked out by TMG an alert will be recorded. However, there is no way to “unlock” this users. Your only option is to wait for the account lockout expiration period to lapse.
Would this feature help with the following scenario?
Problem statement: when the domain user account password is being changed, unless the user immediately updates it on his/her Apple or Android device, this device will try to authenticate against AD with this now outdated password and locks the account out. We have instances where a user will change their password while in the office, and have his/her iPad (left at home) lock them out constantly. This floods our security logs with failed login attempts, creating so much noise that we might not see something that is truly worrisome.
The way you’d expect it to work (logically): user changes AD password on the laptop … when Apple/Android device tries to connect, AD notices the password is invalid and prompts device to provide credentials … or deny connection.
Environment: Exchange 2010 SP2 RU6, 2008 AD compatibility mode, TMG 2010 SP2
Yes. In fact, that is what this feature is designed for. In this scenario, users will only be locked on the Forefront TMG 2010 firewall, but their AD account will not. Once they determine they can’t access mail from their mobile device they’ll update their password and all should be well after that. 🙂
Thank you. Thank you. Thank you. This has been a big problem and my team has been looking for a solution.
Is it possible to overcome TMG’s default security settings using brute force attacks?
Anything is possible, but if the Forefront TMG 2010 is properly configured and implemented using security best practices it is highly unlikely.
Anyone Knows if is possible to unlock users after I implemente this feature ?
It is not possible to proactively unlock users on the TMG firewall. Users will automatically be unlocked after the AccountLockoutResetTime expires.