This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello everyone,
Especially for internet facing sharepoint sites, what is the best solution to prevent bad login attempts for sp service accounts. The solution could be hardware solution (firewall or waf) or software solution (scripting).
Thanks.
For SharePoint service accounts, you should be adding them to the deny logon security policy (secpol.msc) on each SharePoint server. For SQL, you should be using a gMSA rather than a domain user account.
Place a pre-authenticating reverse proxy in front of SharePoint and don't allow it to be bypassed to each web application. But there is nothing stopping an internal user from brute forcing or locking the accounts out -- this is typically why service accounts bypass lockout policies as you don't want your service to fail.
Best defense is to use monitoring tools that will alert you of these types of attacks against users.
Thanks you very much @Trevor Seward . Can you give me some info about "pre-authenticating reverse proxy" toplogy. Did you mean ADFS or something else?
With AD FS + Web App Proxy, Azure AD App Proxy, and many other third party network devices/services, yes that is possible. If you go the AD FS + WAP route, I would recommend using a non-claims aware relying party mode, this way you can continue using Windows auth on SharePoint.
These services/devices, with the exception of the AAD App Proxy, would reside in a DMZ of some form. App Proxy goes on your internal network as you do not need to open inbound firewall ports for it.
Unfortunately there isn't any proper way, I would say create them with a proper naming convention and explain the AD team to not to touch those service accounts.
Below articles explains you to configure service accounts with proper naming convention.
https://vladtalkstech.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html
Thanks & Regards,