LockoutGuard from Collective Software augments the capabilities of ISA 2006 to allow a “soft lockout”.
LockoutGuard can be configured to start denying authentication attempts before the AD lockout limit is reached. This acts as an additional tier of “lockout security”, safely locking the account out of the extranet. During soft lockout of a user's account, password guessing on the extranet will fail since LockoutGuard is blocking authentication attempts for that account. Even during this soft lockout, the user account can still be logged in from inside your LAN, or over a VPN. Thus, the DoS potential is substantially controlled, with a minimum inconvenience.