Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

User account lockout from OWA login attempts

Posted on 2006-11-03
5
Medium Priority
?
3,274 Views
Last Modified: 2008-01-09
Here's the situation:

Single Exchange 2003 Enterprise server in the network running OWA.  We have account lockout policies in place so that after 5 failed attempts to login, the user ID is locked out.  Is there a way to prevent a denial-of-service attack from a malicious user from locking out the domain account?  In other words, I know a user's ID; but not their password and I hate them.  So, I intentionally try to log into their account 5 times with a bad password causing their domain ID to lockout.

I was trying to determine whether I can set some sort of lower limit (say 3 failed attempts) that would somehow lock the user out of OWA so that they would not be locked out of the domain they belong too; but haven't found anything remotely like that.

I looked at http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx; but that seems like a bunch of trouble to go to simply to prevent this issue.

Anyone doing anything like this?

-Manfre
0
Comment
Question by:Manfre7874
  • 2
3 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17869338
There is very little you can do.
What is the difference between someone doing it out of spite and someone doing to try and guess the password?

If I have a significant number of users who work out of hours then I will have the accounts reset after a set amount of time (30 minutes) so that they can try again later.

Simon.
0
 

Author Comment

by:Manfre7874
ID: 17869546
There's no difference at all and I kind of expected that answer.  I just wondered if there was some methodolgy for preventing a DOS attack on OWA that I was unfamiliar with.

-Manfre
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17869695
Thats what password lock is for.
Most attackers on a Windows domain don't bother with individual user accounts anyway. There is only one target - the administrator account. As it doesn't lock out it is perfect for brute forcing. The other accounts might get a casual attack, but that is all.

Simon.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question