I'd like to secure Outlook Web Access with Exchange 2010 against a brute force attack using account lockout.
What is the best way to do this?
I have the following group policy:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\
- Account Lockout duration 10 mins
- Account lockout threshold 5 attempts
- Reset Account lockout counter after 10 mins
That's good enough if you have a reasonable password policy. If people can have a password of
1
, that's probably going to be a problem.You've rate limited brute forcing the password to 1 password every 2 minutes. At that rate guessing a 7 character, all numbers password would take 19 years of straight hacking on average... and that's a pretty crappy password.
While what Chris S says its true, you have opened yourself up to a DOS attack. I can't break into your accounts, but I can lock them all out permanently. I just keep on doing wrong password attempts, indefinitely. One bad attempt per user, every 2 minutes isn't much.
You need something monitoring your logs for invalid attempts, and eventually block that IP address at the firewall for a period of time.
How to set that up is highly dependent on your infrastructure (logging, firewall, etc), and your usage patterns. For instance if the same IP address makes a invalid attempt on 2-3 accounts, you may want to block that IP for a few days. If its one account, you may only want to block that IP once its done 10 invalid attempts in an hour, for two hours.