I'd like to secure Outlook Web Access with Exchange 2010 against a brute force attack using account lockout.
What is the best way to do this?
I have the following group policy:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\
- Account Lockout duration 10 mins
- Account lockout threshold 5 attempts
- Reset Account lockout counter after 10 mins
Best Answer
That's good enough if you have a reasonable password policy. If people can have a password of
1
, that's probably going to be a problem.You've rate limited brute forcing the password to 1 password every 2 minutes. At that rate guessing a 7 character, all numbers password would take 19 years of straight hacking on average... and that's a pretty crappy password.