Presentation is loading. Please wait.

Presentation is loading. Please wait.

LockoutGuard Protect AD accounts from Extranet attacks Copyright ©2008 Collective Software, LLC.

Published bySheryl Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "LockoutGuard Protect AD accounts from Extranet attacks Copyright ©2008 Collective Software, LLC."— Presentation transcript:

1 LockoutGuard Protect AD accounts from Extranet attacks Copyright ©2008 Collective Software, LLC

2 Extranet Publishing with ISA ISA OWAWeb apps Publish Pre-Authentication --LAN-- Users Active Directory used for authentication LAN users connect directly Internet users pre-authenticate at ISA

3 AD Lockout: Good ISA DC Pre-Authentication --LAN-- Attacker user: ceo, pass: guess? user: ceo, pass: secret? user: ceo, pass: brute? user: ceo, pass: force? Bad pass count for user 'ceo' 0 1 2 3 Lockout! Attacker tries to guess / brute-force passwords This type of attack is thwarted by AD account lockout

4 AD Lockout: Bad ISA DC Pre-Authentication --LAN-- user 'ceo': Locked out! Real user 'ceo' Attacker user: ceo, pass: guess? user: ceo, pass: secret? user: ceo, pass: brute? user: ceo, pass: force? This also causes the user to be locked out on the LAN Just a nuissance? Help desk can reset lockout

5 AD Lockout: Really Bad ISA DC Pre-Authentication --LAN-- users Locked out! Real users Attacker user1... user2... user3... user4... An attacker that knows (or guesses) many accounts can lock them all out this way Repeatedly! Now it's a Denial of service

6 Problem analysis Access from the Internet is useful but presents an easy attack surface A Lockout policy is needed to prevent password attacks Any anonymous Internet connection can lock out user accounts at will

7 Is there an easy fix? Given single factor authentication, lockout is the only feasible solution But! We can stop Internet users with a “soft” lockout (e.g. after 3 bad passwords)‏ Before the Active Directory “hard” lockout (e.g. after 5 bad passwords)‏ As with AD lockout, there is no indication to the user This helps thwart “low and slow” attackers

8 LockoutGuard ISA DC --LAN-- Real user 'ceo' Attacker user: ceo, pass: guess? user: ceo, pass: secret? user: ceo, pass: brute? user: ceo, pass: force? user: ceo, pass: aaaa? After the LockoutGuard threshold (configurable) authentication requests stop going to DC Internet users are now “locked out” but LAN users are not affected! LockoutGuard with threshold: 3

9 Pros / Cons Easy, fast and inexpensive to implement! Doesn't add any adverse effects  Only helps on the LAN, the real user is still locked out of the Extranet  Multi-factor authentication would be better! (Such as AuthLite by Collective Software)‏

Download ppt "LockoutGuard Protect AD accounts from Extranet attacks Copyright ©2008 Collective Software, LLC."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.

INTERNET INFORMATION ACCESS How to avoid and eliminate common problems confronting usage of modern resources to access the Internet.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.

FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
UAGSharePoint InternetIntranet.

UAGSharePoint InternetIntranet.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.

Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Managing Network Security ref:www.microsoft.com. Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Similar presentations

Ads by Google