We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

User account lockout from OWA login attempts

Manfre7874
Manfre7874 asked
on
Medium Priority
3,615 Views
Last Modified: 2008-01-09
Here's the situation:

Single Exchange 2003 Enterprise server in the network running OWA.  We have account lockout policies in place so that after 5 failed attempts to login, the user ID is locked out.  Is there a way to prevent a denial-of-service attack from a malicious user from locking out the domain account?  In other words, I know a user's ID; but not their password and I hate them.  So, I intentionally try to log into their account 5 times with a bad password causing their domain ID to lockout.

I was trying to determine whether I can set some sort of lower limit (say 3 failed attempts) that would somehow lock the user out of OWA so that they would not be locked out of the domain they belong too; but haven't found anything remotely like that.

I looked at http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx; but that seems like a bunch of trouble to go to simply to prevent this issue.

Anyone doing anything like this?

-Manfre
Comment
Watch Question

Expert of the Year 2007
Expert of the Year 2006

Commented:
There is very little you can do.
What is the difference between someone doing it out of spite and someone doing to try and guess the password?

If I have a significant number of users who work out of hours then I will have the accounts reset after a set amount of time (30 minutes) so that they can try again later.

Simon.

Author

Commented:
There's no difference at all and I kind of expected that answer.  I just wondered if there was some methodolgy for preventing a DOS attack on OWA that I was unfamiliar with.

-Manfre
Expert of the Year 2007
Expert of the Year 2006
Commented:
Thats what password lock is for.
Most attackers on a Windows domain don't bother with individual user accounts anyway. There is only one target - the administrator account. As it doesn't lock out it is perfect for brute forcing. The other accounts might get a casual attack, but that is all.

Simon.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.