How to secure Outlook Web Access against Brute Force attack

active-directorybrute-force-attacksexchange-2010groupsuser-accounts

I'd like to secure Outlook Web Access with Exchange 2010 against a brute force attack using account lockout.

What is the best way to do this?

I have the following group policy:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\

Account Lockout duration 10 mins
Account lockout threshold 5 attempts
Reset Account lockout counter after 10 mins

Best Answer

That's good enough if you have a reasonable password policy. If people can have a password of 1, that's probably going to be a problem.

You've rate limited brute forcing the password to 1 password every 2 minutes. At that rate guessing a 7 character, all numbers password would take 19 years of straight hacking on average... and that's a pretty crappy password.

Related Solutions

Proving Password Security to Non-Mathematicians – Standard Methods

Using fail2ban with the iptables is a great way.

Here is the math for you:

Mixed upper and lower case alphabet and common symbols, 8 characters long, gives you 2.9 quadrillion conbinations and with 10,000 attempts a second will take 9,488 years. Thats the maximum of course - expect your password to be cracked in 4000 years. 1000 years if you're not feeling lucky.

As you can see you shouldn't have any issues if you do a 15 character password like:

dJ&3${bs2ujc"qX

Exchange – Prevent DOS Attack Through Outlook Web Access

You may be able to do this through an add-on IIS component, but most places do it with an IDS/IPS device. The device sits on the network and sniffs traffic, and it should know a bit about the application. When it sees repeated bad login attempts, it should block or rate-limit the attacker IP address.

Best Answer

Related Solutions

Proving Password Security to Non-Mathematicians – Standard Methods

Exchange – Prevent DOS Attack Through Outlook Web Access

Related Topic