Solved

User account lockout from OWA login attempts

Posted on 2006-11-03
5
3,043 Views
Last Modified: 2008-01-09
Here's the situation:

Single Exchange 2003 Enterprise server in the network running OWA.  We have account lockout policies in place so that after 5 failed attempts to login, the user ID is locked out.  Is there a way to prevent a denial-of-service attack from a malicious user from locking out the domain account?  In other words, I know a user's ID; but not their password and I hate them.  So, I intentionally try to log into their account 5 times with a bad password causing their domain ID to lockout.

I was trying to determine whether I can set some sort of lower limit (say 3 failed attempts) that would somehow lock the user out of OWA so that they would not be locked out of the domain they belong too; but haven't found anything remotely like that.

I looked at http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx; but that seems like a bunch of trouble to go to simply to prevent this issue.

Anyone doing anything like this?

-Manfre
0
Comment
Question by:Manfre7874
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17869338
There is very little you can do.
What is the difference between someone doing it out of spite and someone doing to try and guess the password?

If I have a significant number of users who work out of hours then I will have the accounts reset after a set amount of time (30 minutes) so that they can try again later.

Simon.
0
 

Author Comment

by:Manfre7874
ID: 17869546
There's no difference at all and I kind of expected that answer.  I just wondered if there was some methodolgy for preventing a DOS attack on OWA that I was unfamiliar with.

-Manfre
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 17869695
Thats what password lock is for.
Most attackers on a Windows domain don't bother with individual user accounts anyway. There is only one target - the administrator account. As it doesn't lock out it is perfect for brute forcing. The other accounts might get a casual attack, but that is all.

Simon.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question