4

I'd like to secure Outlook Web Access with Exchange 2010 against a brute force attack using account lockout.

What is the best way to do this?

I have the following group policy:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\

  • Account Lockout duration 10 mins
  • Account lockout threshold 5 attempts
  • Reset Account lockout counter after 10 mins
SLY
  • 1,286
  • 1
  • 13
  • 28

2 Answers2

7

That's good enough if you have a reasonable password policy. If people can have a password of 1, that's probably going to be a problem.

You've rate limited brute forcing the password to 1 password every 2 minutes. At that rate guessing a 7 character, all numbers password would take 19 years of straight hacking on average... and that's a pretty crappy password.

Chris S
  • 77,337
  • 11
  • 120
  • 212
5

While what Chris S says its true, you have opened yourself up to a DOS attack. I can't break into your accounts, but I can lock them all out permanently. I just keep on doing wrong password attempts, indefinitely. One bad attempt per user, every 2 minutes isn't much.

You need something monitoring your logs for invalid attempts, and eventually block that IP address at the firewall for a period of time.

How to set that up is highly dependent on your infrastructure (logging, firewall, etc), and your usage patterns. For instance if the same IP address makes a invalid attempt on 2-3 accounts, you may want to block that IP for a few days. If its one account, you may only want to block that IP once its done 10 invalid attempts in an hour, for two hours.

Steven
  • 3,009
  • 18
  • 18
  • You make a good point. I've decided to make a new question to focus on the DOS issue. http://serverfault.com/questions/227319/how-do-i-prevent-against-a-dos-attack-through-outlook-web-access – SLY Jan 26 '11 at 19:57