Microsoft Forefront Threat Management Gateway 2010 Service Pack 2 adds a new local account lockout feature which helps prevent a malicious user from locking out domain accounts, when TMG is configured to publish a site using Forms-Based Authentication (FBA) with Active Directory or with Lightweight Directory Access Protocol (LDAP) authentication. Source: KB2619987
The following two Windows PowerShell functions let you retrive and modify the account lockout settings for weblisteners configured with Forms Based Authentication (AD/LDAP). The functions works via PowerShell Remoting (WinRM).
More information is available in this blog-post.
function Get-AccountLockoutSetting
{
<#
.SYNOPSIS
Windows PowerShell function for use with Forefront TMG 2010 SP2: Retrieve the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP).
.DESCRIPTION
Windows PowerShell function for use with Forefront TMG 2010 SP2: Retrieve the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP).
If the EnableAccountLockout property is set to True and the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded,
the account is locked based on the AccountLockoutResetTime value in seconds.
For more information about this feature, see the following KB-article: http://support.microsoft.com/kb/2619987
.EXAMPLE
Get-AccountLockoutSetting
.NOTES
Name: Get-AccountLockoutSetting
Author: Jan Egil Ring
Website: http://blog.powershell.no
You have a royalty-free right to use, modify, reproduce, and
distribute this script file in any way you find useful, provided that
you agree that the creator, owner above has no warranty, obligations,
or liability for such use.
VERSION HISTORY:
1.0 07.08.2012 - Initial release
#Requires -Version 2.0
#>
$FPC = New-Object -ComObject FPC.root
$array = $FPC.GetContainingArray()
$FBAWebListeners = @()
foreach ($listener in $array.RuleElements.WebListeners) {
if ($listener.Properties.AuthenticationSchemes.Count -gt 0) {
if ($listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with AD' -or $listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with LDAP') {
$FBAWebListeners += New-Object -TypeName pscustomobject -Property @{
AccountLockoutResetTime = $listener.Properties.AccountLockoutResetTime
AccountLockoutThreshold = $listener.Properties.AccountLockoutThreshold
EnableAccountLockout = $listener.Properties.EnableAccountLockout
WebListener = $listener.Name
} | Select-Object WebListener,EnableAccountLockout,AccountLockoutThreshold,AccountLockoutResetTime
}
}
}
$FBAWebListeners
}
function Set-AccountLockoutSetting
{
<#
.SYNOPSIS
Windows PowerShell function for use with Forefront TMG 2010 SP2: Modify the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP).
.DESCRIPTION
Windows PowerShell function for use with Forefront TMG 2010 SP2: Modify the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP).
If the EnableAccountLockout property is set to True and the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded,
the account is locked based on the AccountLockoutResetTime value in seconds.
For more information about this feature, see the following KB-article: http://support.microsoft.com/kb/2619987
.PARAMETER WebListener
The name of the Web Listener to modify.
.PARAMETER EnableAccountLockout
Specify $true or $false to indicate whether the account lockout feature is enabled or disabled.
.PARAMETER AccountLockoutResetTime
The amount of time (in minutes) before the lockout counter is reset.
.PARAMETER AccountLockoutThreshold
The threshold for how many failed password attempts will trigger a lockout. This value should be lower than the corresponding value in Active Directory.
.EXAMPLE
Set-AccountLockoutSetting -WebListener 'https FBA' -EnableAccountLockout $false
.EXAMPLE
Set-AccountLockoutSetting -WebListener 'https FBA' -EnableAccountLockout $true -AccountLockoutResetTime 200 -AccountLockoutThreshold 5
.EXAMPLE
Get-AccountLockoutSetting | Set-AccountLockoutSetting -EnableAccountLockout $true -AccountLockoutResetTime 200 -AccountLockoutThreshold 5
.NOTES
Name: Set-AccountLockoutSetting
Author: Jan Egil Ring
Website: http://blog.powershell.no
You have a royalty-free right to use, modify, reproduce, and
distribute this script file in any way you find useful, provided that
you agree that the creator, owner above has no warranty, obligations,
or liability for such use.
VERSION HISTORY:
1.0 07.08.2012 - Initial release
#Requires -Version 2.0
#>
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)]
$WebListener,
[int]$AccountLockoutResetTime,
[int]$AccountLockoutThreshold,
[Parameter(Mandatory=$true)]
[bool]$EnableAccountLockout
)
Begin
{
$FPC = New-Object -ComObject FPC.root
$array = $FPC.GetContainingArray()
$FBAWebListeners = @()
}
Process
{
$listener = $array.RuleElements.WebListeners | Where-Object {$_.Name -eq $WebListener}
if ($listener) {
if ($listener.Properties.AuthenticationSchemes.Count -gt 0 -and ($listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with AD' -or $listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with LDAP')) {
$listener.Properties.AccountLockoutResetTime = $AccountLockoutResetTime
$listener.Properties.AccountLockoutThreshold = $AccountLockoutThreshold
$listener.Properties.EnableAccountLockout = $EnableAccountLockout
$listener.Save()
$FBAWebListeners += New-Object -TypeName pscustomobject -Property @{
AccountLockoutResetTime = $listener.Properties.AccountLockoutResetTime
AccountLockoutThreshold = $listener.Properties.AccountLockoutThreshold
EnableAccountLockout = $listener.Properties.EnableAccountLockout
WebListener = $listener.Name
} | Select-Object WebListener,EnableAccountLockout,AccountLockoutThreshold,AccountLockoutResetTime
} else {
Write-Warning "The specified weblistener was found, but the authentication scheme is not Forms Based Authentication with AD/LDAP. No settings was modified."
}
} else {
Write-Warning "Could not find a weblistener with the specified name. No settings was modified."
}
}
End
{
$FBAWebListeners
}
}
function Get-AccountLockoutSetting { <# .SYNOPSIS Windows PowerShell function for use with Forefront TMG 2010 SP2: Retrieve the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP). .DESCRIPTION Windows PowerShell function for use with Forefront TMG 2010 SP2: Retrieve the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP). If the EnableAccountLockout property is set to True and the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded, the account is locked based on the AccountLockoutResetTime value in seconds. For more information about this feature, see the following KB-article: http://support.microsoft.com/kb/2619987 .EXAMPLE Get-AccountLockoutSetting .NOTES Name: Get-AccountLockoutSetting Author: Jan Egil Ring Website: http://blog.powershell.no You have a royalty-free right to use, modify, reproduce, and distribute this script file in any way you find useful, provided that you agree that the creator, owner above has no warranty, obligations, or liability for such use. VERSION HISTORY: 1.0 07.08.2012 - Initial release #Requires -Version 2.0 #> $FPC = New-Object -ComObject FPC.root $array = $FPC.GetContainingArray() $FBAWebListeners = @() foreach ($listener in $array.RuleElements.WebListeners) { if ($listener.Properties.AuthenticationSchemes.Count -gt 0) { if ($listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with AD' -or $listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with LDAP') { $FBAWebListeners += New-Object -TypeName pscustomobject -Property @{ AccountLockoutResetTime = $listener.Properties.AccountLockoutResetTime AccountLockoutThreshold = $listener.Properties.AccountLockoutThreshold EnableAccountLockout = $listener.Properties.EnableAccountLockout WebListener = $listener.Name } | Select-Object WebListener,EnableAccountLockout,AccountLockoutThreshold,AccountLockoutResetTime } } } $FBAWebListeners } function Set-AccountLockoutSetting { <# .SYNOPSIS Windows PowerShell function for use with Forefront TMG 2010 SP2: Modify the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP). .DESCRIPTION Windows PowerShell function for use with Forefront TMG 2010 SP2: Modify the account lockout setting for weblisteners with Forms Based Authentication (with AD/LDAP). If the EnableAccountLockout property is set to True and the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded, the account is locked based on the AccountLockoutResetTime value in seconds. For more information about this feature, see the following KB-article: http://support.microsoft.com/kb/2619987 .PARAMETER WebListener The name of the Web Listener to modify. .PARAMETER EnableAccountLockout Specify $true or $false to indicate whether the account lockout feature is enabled or disabled. .PARAMETER AccountLockoutResetTime The amount of time (in minutes) before the lockout counter is reset. .PARAMETER AccountLockoutThreshold The threshold for how many failed password attempts will trigger a lockout. This value should be lower than the corresponding value in Active Directory. .EXAMPLE Set-AccountLockoutSetting -WebListener 'https FBA' -EnableAccountLockout $false .EXAMPLE Set-AccountLockoutSetting -WebListener 'https FBA' -EnableAccountLockout $true -AccountLockoutResetTime 200 -AccountLockoutThreshold 5 .EXAMPLE Get-AccountLockoutSetting | Set-AccountLockoutSetting -EnableAccountLockout $true -AccountLockoutResetTime 200 -AccountLockoutThreshold 5 .NOTES Name: Set-AccountLockoutSetting Author: Jan Egil Ring Website: http://blog.powershell.no You have a royalty-free right to use, modify, reproduce, and distribute this script file in any way you find useful, provided that you agree that the creator, owner above has no warranty, obligations, or liability for such use. VERSION HISTORY: 1.0 07.08.2012 - Initial release #Requires -Version 2.0 #> [CmdletBinding()] Param ( [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)] $WebListener, [int]$AccountLockoutResetTime, [int]$AccountLockoutThreshold, [Parameter(Mandatory=$true)] [bool]$EnableAccountLockout ) Begin { $FPC = New-Object -ComObject FPC.root $array = $FPC.GetContainingArray() $FBAWebListeners = @() } Process { $listener = $array.RuleElements.WebListeners | Where-Object {$_.Name -eq $WebListener} if ($listener) { if ($listener.Properties.AuthenticationSchemes.Count -gt 0 -and ($listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with AD' -or $listener.Properties.AuthenticationSchemes.Item("1").Name -eq 'FBA with LDAP')) { $listener.Properties.AccountLockoutResetTime = $AccountLockoutResetTime $listener.Properties.AccountLockoutThreshold = $AccountLockoutThreshold $listener.Properties.EnableAccountLockout = $EnableAccountLockout $listener.Save() $FBAWebListeners += New-Object -TypeName pscustomobject -Property @{ AccountLockoutResetTime = $listener.Properties.AccountLockoutResetTime AccountLockoutThreshold = $listener.Properties.AccountLockoutThreshold EnableAccountLockout = $listener.Properties.EnableAccountLockout WebListener = $listener.Name } | Select-Object WebListener,EnableAccountLockout,AccountLockoutThreshold,AccountLockoutResetTime } else { Write-Warning "The specified weblistener was found, but the authentication scheme is not Forms Based Authentication with AD/LDAP. No settings was modified." } } else { Write-Warning "Could not find a weblistener with the specified name. No settings was modified." } } End { $FBAWebListeners } }