TLDR;
What techniques are being used to detect brute force logins and/or password spraying on IIS hosted websites (including SharePoint, OWA, etc.)?
ModSecurity
There are many tools for other operating systems to address this with the primary being ModSecurity
. While it has been ported to support IIS, it doesn't integrate with IIS as well as it does with other platforms. Besides, I would be surprised to hear of any SharePoint or OWA implementations using IIS ModSecurity. If you're out there, I encourage you to post your setup here.
Multi-factor or Captcha
Both are viable options to prevent these attacks but they don't necessarily detect and also fail in the following ways:
- Steps are added to the login process for all users just to block these login abuses from a small subset of users.
- Some implementations will only display the additional method after a successful username/password combination has been submitted.
Proxy
Placing a hardware device(s) or cloud service in front of an IIS pool is a viable option. However many identify a brute force login as successive POST
requests during a short interval which can easily lead to false-positives.
SIEM / Splunk
Centralized logging works though it can be expensive both monetarily as well as time invested to build rules.
Rate Limiting
There are modules within IIS which block IP addresses based on connection rates. This is not the same thing as what I'm asking even if technically these login attempts would trigger a rate filter.