In this article you will learn about the JiJi Account Lockout Tool, a Windows utility to analyze and resolve account lockout issues.
JiJi Technologies raffles two administrator licenses for their JiJi Account Lockout Tool worth $600 USD each. The deadline of this contest is September 29, 2011. If you want to take part in this in raffle, please send an email with the subject JiJi Account Lockout Tool to .
JiJi Account Lockout Tool
Now more than ever, Windows systems administrators are tasked with keeping their network resources in compliance with national and/or international governmental mandates. Account lockout policy is certainly one factor that must be considered in establishing IT security compliance.
Think of it this way: if a handful of your users lock out their accounts by mistyping their password a given number of times, then it is fairly trivial for you as the sysadmin to unlock their accounts and thereby restore user productivity.
However, what if a malicious user, hacktivist group, or whoever were to enumerate a significant block of valid usernames within your organization? That person or group could then author a script that repeatedly attempts user logons with the intention of exceeding your account lockout threshold policy.
When a significant percentage of your user base cannot work because their accounts have become locked, then we call that a denial of service (DoS) attack; this kind of stuff happens every day.
To this end, JiJi Technologies has developed a nifty Windows application called the JiJi Account Lockout Tool (JALT). The purpose of JALT is to provide both administrators and users with immediate notification of account lockout events.
The idea is that, given enhanced intelligence concerning account lockout trends, Windows systems administrators can both mitigate the threat of DoS attacks, as well as better construct future password and account lockout policies for their organization.
JiJi makes a free trial of the software available to any interested party; the cost of a single-administrator license is $600 USD. The license cost also includes one-year maintenance and free upgrades.
Once you’ve downloaded the software, there are two preinstallation requirements with which you should be familiar.
The JiJi Account Lockout Tool is manifested on disk as a data-driven Web application. Therefore, you need to install the Web Server (IIS) server role on the Windows Server 2008 computer on which you are installing the software.
As you know, you can add this role to a Windows Server 2008 computer via the Add Roles Wizard, shown in Figure 1.
Adding the Web Server role
JALT uses Microsoft SQL Server Compact Edition for data storage. The good news is that you can install this software directly from a subfolder within the JALT installation files; this is shown in Figure 2.
SQL Server Compact installer
Once you have your installation prerequisites out of the way, we are ready to install JALT itself. Rather than give you a screen-by-screen walkthrough of the software installation process, we will instead focus on selected screens that are of particular importance.
Installing the JiJi Account Lockout Tool
The GPO Settings installation dialog informs us that in order for JALT to be able to provide us with detailed account logon and lockout metadata, we need to enable specific auditing options in our Default Domain Policy GPO.
JiJi Account Lockout Tool – Analyzing current domain policy
NOTE: Please double-check your Default Domain Policy GPO post-installation. I found that although I checked Yes (Recommended) for the Do you want to change the required settings in Default Domain Policy? option, my GPO had not been touched and I needed to manually enable the policies.
In the Choose the Scope dialog, we are asked to (a) select our management scope for the tool; and (b) provide domain administrator credentials.
JiJi Account Lockout Tool – Specifying a management scope
In the Create Virtual Directory dialog, we provide the JALT installer with instructions on how to create the Internet Information Services (IIS) Web site that will host the application.
IIS Web site configuration
Finally, be sure to edit your Default Domain Policy Group Policy Object (GPO) to define not only your account lockout policy settings, but also, as previously mentioned, your audit policy settings.
Editing the Default Domain Policy GPO
Using the Tool
To access JALT, fire up your Web browser and navigate to the IIS virtual directory URL that you specified during installation. Your initial login credentials are admin/password; we will change that immediately upon logging into the JALT management site.
JiJi Account Lockout Tool – Initial login to JALT
The first things we want to do upon initial login are (a) load our license file; and (b) specify the authorized administrators of the system. We can accomplish both tasks by navigating to the License tab.
JiJi Account Lockout Tool – Specifying JALT administrators
We also should navigate to the Admin tab and (a) specify a Simple Mail Transfer Protocol (SMTP) mail server address; and (b) specify the recipient of notification messages whenever a user’s account becomes locked out.
JiJi Account Lockout Tool – Configuring notification settings
Note that the Home page in JALT provides a graphical dashboard that displays a historical record of logon failures and account lockouts.
JiJi Account Lockout Tool – Home page
To test the application’s functionality, you should intentionally produce an account lockout from a domain workstation computer.
A locked-out Windows 7 domain workstation
We can then check out the details of the account lockout by navigating to the Account Lockout Analyzer tab in JALT. Please note that we can perform the following actions:
- Click the Unlock button to unlock the user’s account
- Analyze the logon failure to ascertain time/date metadata, the source IP, etc.
JiJi Acount Lockout Tool – Account Lockout Analyzer
All things considered, the JiJi Account Lockout Tool provides valuable intelligence concerning user account lockouts and logon failures. This tool should help you maintain regulatory compliance for your network, as well as reduce the likelihood of malicious attacks on your account lockout policy. Please feel free to leave your comments or questions—thanks for reading!