Re: [Full-disclosure] Secure OWA

From: "Bardus Populus" <disclosure@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Aug 2006 11:31:56 -0400 (EDT)

Running an active event log monitor (Symantec's ITA comes to mind as a
quick example) will catch both the brute forcer and/or the lockouts
(regardless of which way you set it up - to lock or not) - and respond
with some appropriate action to notify you as to the happenstance rather
than wait for an admin to review the logs (n)ever.

(bp)

On 8/30/06, Renshaw, Rick (C.) <rrenshaw@xxxxxxxx> wrote:

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Dude
VanWinkle
Sent: Saturday, August 26, 2006 2:30 PM
To: Adriel Desautels
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Secure OWA

The only real fault I know about is the fact that you can guess

passwords
eternally without locking out user accounts.

There's two sides to this risk. If you allow OWA logins to lock out
accounts, and your OWA page is available from anywhere on the Internet,
you
are handing an easy DOS tool to anyone that knows the account names for
people on your server.

Perhaps. But a temporary lockout period would deter brute-force
attempts while still making an attacker do some work to keep the
accounts locked (eg, if you have a lockout of 5 minutes, brute forcing
is no longer practical, but at the same time, if you want to DoS
someone's account you have to keep coming back every 5 minutes. And
that increases the risk you'll get caught.)

-Brendan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- RE: [Full-disclosure] Secure OWA
  - From: Renshaw, Rick \(C.\)
- Re: [Full-disclosure] Secure OWA
  - From: Brendan Dolan-Gavitt

Prev by Date: RE: [Full-disclosure] Secure OWA
Next by Date: Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment
Previous by thread: Re: [Full-disclosure] Secure OWA
Next by thread: Re: [Full-disclosure] Secure OWA
Index(es):
- Date
- Thread

Relevant Pages

Re: Welcome Logon Screen locks out accounts
... consider a lockout count of 15-25 tries. ... > 30 minutes your accounts will not lock out. ... >> I am using the Welcome logon screen on my XP Pro system. ... >> password before the account is locked out using security policies. ...
(microsoft.public.windowsxp.security_admin)
Re: GPO Question
... Account Lockout and Password policy is domainwide - you cannot define it on ... > I have a OU called App and under App, ... > type of GPO per category. ... > -Service Accounts ...
(microsoft.public.windows.server.security)
Re: User Accounts Loccked After Accessing FTP Site
... The security policy for lockout is 3 failed login attempts. ... configuation settings for this particular ftp site (I am relatively new at ... passwords and user accounts to be sent in clear text. ... > What is the account lockout policy for domain users? ...
(microsoft.public.inetserver.iis.security)
Re: Lockout of all acounts
... > accounts, including Administrator, have been locked out. ... > have a single domain controller and cannot get console access. ... is the lockout from repeated failed ...
(microsoft.public.win2000.general)