LockoutGuard Protect AD accounts from Extranet attacks Copyright ©2008 Collective Software, LLC.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Secure SharePoint mobile connectivity
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
UAGSharePoint InternetIntranet.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
Windows 2003 and 802.1x Secure Wireless Deployments.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
CIS 450 – Network Security Chapter 8 – Password Security.
Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,
Mark Shtern. Passwords are the most common authentication method They are inherently insecure.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Directory and File transfer Services By Jothi. Two key resources Lightweight Directory Access Protocol (LDAP) File Transfer protocol Secure file transfer.
Networked Information Systems Network Security. Network Physical Security File server failure can severely affect network users. Server security: Locked.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Safeguarding your Business Assets through Understanding of the Win32 API.
ClearTunnel Close the SSL Hole! Copyright ©2008 Collective Software, LLC.
Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.
Security CS Introduction to Operating Systems.
Networks Mr Hewitt. Objectives By the end of this lesson you will be able to: Compare stand alone, networked and laptop computers Define a Network Explain.
Attack and Malicious Code Andrew Anaruk. Security Threats Denial of Service (DoS) Attacks Spoofing Social Engineering Attacks on Encrypted Data Software.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru.
Module 7: Implementing Security Using Group Policy.
Access resources in a federation partner organization.
Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
IT Ess I v.4x Chapter 1 Cisco Discovery Semester 1 Chapter 8 JEOPADY Q&A by SMBender, Template by K. Martin.
Microsoft ® Internet Security and Acceleration Server 2006 Beta Technical Overview Steve Lamb Information Security Evangelist
Identities and Azure AD Premium
Web Applications on the battlefield Alain Abou Tass.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
Understanding Security Policies Lesson 3. Objectives.
Identification (User Authentication). Model Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc. Bob may ask.
of employees use personal devices for work purposes.* of employees that typically work on employer premises, also frequently work away from their desks.***
Understanding Security Policies
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
Instructor Materials Chapter 7 Network Security
Configuring Windows Firewall with Advanced Security
Keypad Lockout - Available June 15, 2015
Strong Authentication and Single Sign-On (SSO) for Health Care
NTC 328 Education on your terms/snaptutorial.com.
Taewan kang, Kevin huangfu
Azure AD Deployment Are you maximising your Azure AD investment?
11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Inference and Flow Control
Virtual Private Networks
Lesson 16-Windows NT Security Issues
Leveraging Visual Basic for Security
AD RMS Templates Active Directory Rights Management Services (AD RMS)
Security through Group Policy
4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.
Understanding Security Policies
Managing Passwords with Group Policy
Access Control and Site Security
Presentation transcript:

LockoutGuard Protect AD accounts from Extranet attacks Copyright ©2008 Collective Software, LLC

Extranet Publishing with ISA ISA OWAWeb apps Publish Pre-Authentication --LAN-- Users Active Directory used for authentication LAN users connect directly Internet users pre-authenticate at ISA

AD Lockout: Good ISA DC Pre-Authentication --LAN-- Attacker user: ceo, pass: guess? user: ceo, pass: secret? user: ceo, pass: brute? user: ceo, pass: force? Bad pass count for user 'ceo' Lockout! Attacker tries to guess / brute-force passwords This type of attack is thwarted by AD account lockout

AD Lockout: Bad ISA DC Pre-Authentication --LAN-- user 'ceo': Locked out! Real user 'ceo' Attacker user: ceo, pass: guess? user: ceo, pass: secret? user: ceo, pass: brute? user: ceo, pass: force? This also causes the user to be locked out on the LAN Just a nuissance? Help desk can reset lockout

AD Lockout: Really Bad ISA DC Pre-Authentication --LAN-- users Locked out! Real users Attacker user1... user2... user3... user4... An attacker that knows (or guesses) many accounts can lock them all out this way Repeatedly! Now it's a Denial of service

Problem analysis Access from the Internet is useful but presents an easy attack surface A Lockout policy is needed to prevent password attacks Any anonymous Internet connection can lock out user accounts at will

Is there an easy fix? Given single factor authentication, lockout is the only feasible solution But! We can stop Internet users with a “soft” lockout (e.g. after 3 bad passwords)‏ Before the Active Directory “hard” lockout (e.g. after 5 bad passwords)‏ As with AD lockout, there is no indication to the user This helps thwart “low and slow” attackers

LockoutGuard ISA DC --LAN-- Real user 'ceo' Attacker user: ceo, pass: guess? user: ceo, pass: secret? user: ceo, pass: brute? user: ceo, pass: force? user: ceo, pass: aaaa? After the LockoutGuard threshold (configurable) authentication requests stop going to DC Internet users are now “locked out” but LAN users are not affected! LockoutGuard with threshold: 3

Pros / Cons Easy, fast and inexpensive to implement! Doesn't add any adverse effects  Only helps on the LAN, the real user is still locked out of the Extranet  Multi-factor authentication would be better! (Such as AuthLite by Collective Software)‏

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.