How to secure Outlook Web Access against Brute Force attack?
Solution 1:
That's good enough if you have a reasonable password policy. If people can have a password of 1
, that's probably going to be a problem.
You've rate limited brute forcing the password to 1 password every 2 minutes. At that rate guessing a 7 character, all numbers password would take 19 years of straight hacking on average... and that's a pretty crappy password.
Solution 2:
While what Chris S says its true, you have opened yourself up to a DOS attack. I can't break into your accounts, but I can lock them all out permanently. I just keep on doing wrong password attempts, indefinitely. One bad attempt per user, every 2 minutes isn't much.
You need something monitoring your logs for invalid attempts, and eventually block that IP address at the firewall for a period of time.
How to set that up is highly dependent on your infrastructure (logging, firewall, etc), and your usage patterns. For instance if the same IP address makes a invalid attempt on 2-3 accounts, you may want to block that IP for a few days. If its one account, you may only want to block that IP once its done 10 invalid attempts in an hour, for two hours.