LockoutGuard: Prevent denial of service
Protect your extranet from lockout attacks quickly and easily, without service impact.
- Implements a pre-emptive "soft lockout"
- Active Directory accounts protected
- Configurable lockout threshold
Problem: Denial of service
- Each failed
authentication attempt to your extranet counts in Active Directory as a failed login.
- Therefore, it is
trivial for a remote attacker to lock out any of your AD accounts if
they know (or can guess) the login name. No further credentials or
privilege is required for this attack.
- In severe cases
this attack may represent a substantial remotely triggerable denial
of service vulnerability in your network.
LockoutGuard from Collective Software
augments the capabilities of ISA 2006 and Forefront TMG to allow a “soft lockout”.
- LockoutGuard can be configured to start
denying authentication attempts before the AD lockout limit is
- This acts as an additional tier of “lockout
security”, safely locking the account out of the extranet.
- During soft lockout of a user's account,
password guessing on the extranet will fail since LockoutGuard is
blocking authentication attempts for that account.
- Even during this soft lockout, the user
account can still be logged in from inside your LAN, or over a VPN.
Thus, the DoS potential is substantially controlled, with a minimum