LockoutGuard: Prevent denial of service
Protect your extranet from lockout attacks quickly and easily, without service impact.
- Implements a pre-emptive "soft lockout"
- Active Directory accounts protected
- Configurable lockout threshold
Problem: Denial of service
- Each failed authentication attempt to your extranet counts in Active Directory as a failed login.
- Therefore, it is trivial for a remote attacker to lock out any of your AD accounts if they know (or can guess) the login name. No further credentials or privilege is required for this attack.
- In severe cases this attack may represent a substantial remotely triggerable denial of service vulnerability in your network.
LockoutGuard from Collective Software augments the capabilities of ISA 2006 and Forefront TMG to allow a “soft lockout”.
- LockoutGuard can be configured to start denying authentication attempts before the AD lockout limit is reached.
- This acts as an additional tier of “lockout security”, safely locking the account out of the extranet.
- During soft lockout of a user's account, password guessing on the extranet will fail since LockoutGuard is blocking authentication attempts for that account.
- Even during this soft lockout, the user account can still be logged in from inside your LAN, or over a VPN. Thus, the DoS potential is substantially controlled, with a minimum inconvenience.