How to secure Outlook Web Access against Brute Force attack?

groups user-accounts active-directory brute-force-attacks exchange-2010

Solution 1:

That's good enough if you have a reasonable password policy. If people can have a password of 1, that's probably going to be a problem.

You've rate limited brute forcing the password to 1 password every 2 minutes. At that rate guessing a 7 character, all numbers password would take 19 years of straight hacking on average... and that's a pretty crappy password.

Solution 2:

While what Chris S says its true, you have opened yourself up to a DOS attack. I can't break into your accounts, but I can lock them all out permanently. I just keep on doing wrong password attempts, indefinitely. One bad attempt per user, every 2 minutes isn't much.

You need something monitoring your logs for invalid attempts, and eventually block that IP address at the firewall for a period of time.

How to set that up is highly dependent on your infrastructure (logging, firewall, etc), and your usage patterns. For instance if the same IP address makes a invalid attempt on 2-3 accounts, you may want to block that IP for a few days. If its one account, you may only want to block that IP once its done 10 invalid attempts in an hour, for two hours.

Related

Unable to remove file using 'rm'
How to Best Manage High PostgreSQL CPU Use?
The CPU and memory is limited in the Cloud, So where is the scalability?
Apache, PHP, MySQL Work faster in Linux than Windows?
What to do with a HP Itanium box?
How do you maintain file server integrity without going offline with chkdsk?
Using ssh-agent with KDE?
Do we need a DNS server when we use OpenDNS?
Let $A=\pi^2\int_{0}^{1}\frac{\sin(\pi x)}{1 + \sin(\pi x)}dx$ and $B=\int_{0}^{\pi}\frac{x\sin( x)}{1 + \sin( x)}dx$. Find $\frac{A}{B}$.
Example of a situation when $P(X<Y)$ is not equal to $P(X^{2} < Y^{2})$?
Show that $A$ is not path-connected.
Log function properties and time series data