Solutions

Your Cart: 0 item(s) $0.00 Checkout

$208 / server   Buy for ISA
   
$208 / server   Buy for TMG
   
LockoutGuard icon

LockoutGuardv1.2.6

LockoutGuard: Prevent denial of service


Protect your extranet from lockout attacks quickly and easily, without service impact.
  • Implements a pre-emptive "soft lockout"
  • Active Directory accounts protected
  • Configurable lockout threshold

Problem: Denial of service

  • Each failed authentication attempt to your extranet counts in Active Directory as a failed login.
  • Therefore, it is trivial for a remote attacker to lock out any of your AD accounts if they know (or can guess) the login name. No further credentials or privilege is required for this attack.
  • In severe cases this attack may represent a substantial remotely triggerable denial of service vulnerability in your network.

Solution

LockoutGuard from Collective Software augments the capabilities of ISA 2006 and Forefront TMG to allow a “soft lockout”.

  • LockoutGuard can be configured to start denying authentication attempts before the AD lockout limit is reached.
  • This acts as an additional tier of “lockout security”, safely locking the account out of the extranet.
  • During soft lockout of a user's account, password guessing on the extranet will fail since LockoutGuard is blocking authentication attempts for that account.
  • Even during this soft lockout, the user account can still be logged in from inside your LAN, or over a VPN. Thus, the DoS potential is substantially controlled, with a minimum inconvenience.