Solved

User account lockout from OWA login attempts

Posted on 2006-11-03
5
2,963 Views
Last Modified: 2008-01-09
Here's the situation:

Single Exchange 2003 Enterprise server in the network running OWA.  We have account lockout policies in place so that after 5 failed attempts to login, the user ID is locked out.  Is there a way to prevent a denial-of-service attack from a malicious user from locking out the domain account?  In other words, I know a user's ID; but not their password and I hate them.  So, I intentionally try to log into their account 5 times with a bad password causing their domain ID to lockout.

I was trying to determine whether I can set some sort of lower limit (say 3 failed attempts) that would somehow lock the user out of OWA so that they would not be locked out of the domain they belong too; but haven't found anything remotely like that.

I looked at http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx; but that seems like a bunch of trouble to go to simply to prevent this issue.

Anyone doing anything like this?

-Manfre
0
Comment
Question by:Manfre7874
  • 2
5 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17869338
There is very little you can do.
What is the difference between someone doing it out of spite and someone doing to try and guess the password?

If I have a significant number of users who work out of hours then I will have the accounts reset after a set amount of time (30 minutes) so that they can try again later.

Simon.
0
 

Author Comment

by:Manfre7874
ID: 17869546
There's no difference at all and I kind of expected that answer.  I just wondered if there was some methodolgy for preventing a DOS attack on OWA that I was unfamiliar with.

-Manfre
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 17869695
Thats what password lock is for.
Most attackers on a Windows domain don't bother with individual user accounts anyway. There is only one target - the administrator account. As it doesn't lock out it is perfect for brute forcing. The other accounts might get a casual attack, but that is all.

Simon.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now