0

If I configure an Active Directory Lockout Policy, then someone can use repeated bad login attempts to lock users out.

How do I block an IP if enough bad login attempts come from it?

Can I do this through IIS or do I need something else?

I am running Exchange 2010 with Outlook Web access using IIS 7.5 on Windows 2008 Server Standard R2.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
SLY
  • 1,286
  • 1
  • 13
  • 28
  • 2
    Do you really think this is a problem you need to worry about and implement a solution for? Has it happened? How many times has it happened? , etc. – joeqwerty Jan 26 '11 at 20:08
  • I'm concerned about vulnerabilities in Outlook Web Access. It hasn't happened and maybe it's a bit far-fetched. I thought I'd put it to the community. – SLY Jan 26 '11 at 20:13
  • Well, the attacker needs to know the exact account name for this to work. It's not too common, although we have had this happen with SFTP accounts for a customer. We had to change their username. – mfinni Jan 26 '11 at 20:28
  • 1
    No faulting you for being concerned but my opinion is that you're better served planning for events that are probable, not for events that are possible. Yes, it's possible that someone may try to "hack in" via OWA but it's not probable... in my opinion. It seems like a bit of a knee jerk reaction to implement special controls to forestall an event that isn't likely to happen. Implement reasonable controls to prevent events that can reasonably be expected to happen. – joeqwerty Jan 26 '11 at 21:16

1 Answers1

2

You may be able to do this through an add-on IIS component, but most places do it with an IDS/IPS device. The device sits on the network and sniffs traffic, and it should know a bit about the application. When it sees repeated bad login attempts, it should block or rate-limit the attacker IP address.

mfinni
  • 36,144
  • 4
  • 53
  • 86