Summary

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 adds a new local account lockout feature that helps prevent a malicious user from locking out domain accounts when Forefront TMG is configured to publish a site by using forms-based authentication (FBA) together with Active Directory or Lightweight Directory Access Protocol (LDAP) authentication.

More Information

To add the account lockout feature for FBA, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

After you apply Service Pack 2, you can configure the account lockout feature by using the Forefront TMG Administration Object Model. To do this, configure the following properties for the WebListenerProperties object, and then set the properties per listener:

  • EnableAccountLockout

  • AccountLockoutThreshold

  • AccountLockoutResetTime

If the EnableAccountLockout property is set to True and if the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded, the account is locked based on the AccountLockoutResetTime value in seconds.Note "Consecutive failed logon attempts" means that the time period between two failed logon attempts is no more than the AccountLockoutResetTime value in seconds and that there were no successful logons in between attempts.Please also note the following:

  • The lockout counter for FBA that is described here is local to each TMG computer.

  • If the Active Directory account lockout is configured for greater values than its thresholds, the lockout will be triggered before the FBA local lockout. This is likely to defeat the purpose of having this protection in place.

Following is an example of a script that can be used to enable the TMG Soft Account Lockout feature that is described in this article. Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. 

  1. Copy the following script into a Notepad file, then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension. Make sure that you change the value for WebListenerName as appropriate for your environment.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Script for enabling TMG Soft Account Lockout described in KB 2619987Option ExplicitDim WebListenerName,newEnableAccountLockout,newAccountLockoutThreshold,newAccountLockoutResetTime''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' SET YOUR VALUES HERE''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Rule name where you want to change the EnableAccountLockout parameterWebListenerName = "YourWebListenerName"''''''''''''''''''''''''''''''''''' Set here custom values' Remember: If the EnableAccountLockout property is set to True and the ' value for the AccountLockoutThreshold property for consecutive failed ' logon attempts for a user is exceeded, the account is locked based on ' the AccountLockoutResetTime value in seconds.newEnableAccountLockout = TruenewAccountLockoutThreshold = 2newAccountLockoutResetTime = 60''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' BeginDim Root, Array, WebListeners, WL, intCompareSet Root = CreateObject("FPC.Root")Set Array = Root.GetContainingArraySet WebListeners = Array.RuleElements.WebListeners''''''''''''''''''''''''''''''''''' Look for the WebListenerFor Each WL in WebListenersWscript.Echo " Comparing WebListener name |" & WebListenerName & "| with |" & WL.Name & "|"intCompare = StrComp(WebListenerName, WL.Name, vbTextCompare)If intCompare = 0 thenExit ForEnd IfNextWscript.Echo Wscript.Echo "Found WebListener with description: |" & WL.Description & "|"''''''''''''''''''''''''''''''''''' Show valuesWscript.Echo Wscript.Echo "***** CURRENT VALUES: "Wscript.Echo "** EnableAccountLockout = |" & WL.Properties.EnableAccountLockout & "|"Wscript.Echo "** AccountLockoutThreshold = |" & WL.Properties.AccountLockoutThreshold & "|"Wscript.Echo "** AccountLockoutResetTime = |" & WL.Properties.AccountLockoutResetTime & "|"Wscript.Echo "***** NEW VALUES: "Wscript.Echo "** EnableAccountLockout = |" & newEnableAccountLockout & "|"Wscript.Echo "** AccountLockoutThreshold = |" & newAccountLockoutThreshold & "|"Wscript.Echo "** AccountLockoutResetTime = |" & newAccountLockoutResetTime & "|"''''''''''''''''''''''''''''''''''' Warning and ask to continueDim strMessageWScript.Echo ' newlineWscript.Echo "Please check if the previous information is correct and you want to apply the changes"strMessage = "Press any key to continue or Ctrl+C to cancel"WScript.Echo ' newlineWScript.StdOut.Write strMessageDo While Not WScript.StdIn.AtEndOfLineInput = WScript.StdIn.Read(1)Loop''''''''''''''''''''''''''''''''''' Set new valuesWL.Properties.EnableAccountLockout = newEnableAccountLockoutWL.Properties.AccountLockoutThreshold = newAccountLockoutThresholdWL.Properties.AccountLockoutResetTime = newAccountLockoutResetTimeWscript.Echo "***** CURRENT VALUES: "Wscript.Echo "** EnableAccountLockout = |" & WL.Properties.EnableAccountLockout & "|"Wscript.Echo "** AccountLockoutThreshold = |" & WL.Properties.AccountLockoutThreshold & "|"Wscript.Echo "** AccountLockoutResetTime = |" & WL.Properties.AccountLockoutResetTime & "|"WL.Properties.Save''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

  2. Save the file to a temporary folder. For example, save the file as "EnableSoftLockout.vbs," and then save the file to the C:\EnableSoftLockout folder.

  3. At a command prompt, move to the location to which you saved the .vbs file in step 2, and then run the .vbs file. For example, run the following commands:

    CD C:\EnableSoftLockout cscript EnableSoftLockout.vbs

References

For more information about the WebListenerProperties object, go to the following Microsoft Developer Network (MSDN) website:

FPCWebListenerProperties ObjectFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders