Full Disclosure mailing list archives
Re: Secure OWA
From: "Bardus Populus" <disclosure () wykkyd securecoffee com>
Date: Wed, 30 Aug 2006 11:31:56 -0400 (EDT)
Running an active event log monitor (Symantec's ITA comes to mind as a quick example) will catch both the brute forcer and/or the lockouts (regardless of which way you set it up - to lock or not) - and respond with some appropriate action to notify you as to the happenstance rather than wait for an admin to review the logs (n)ever. (bp)
On 8/30/06, Renshaw, Rick (C.) <rrenshaw () ford com> wrote:-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Dude VanWinkle Sent: Saturday, August 26, 2006 2:30 PM To: Adriel Desautels Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Secure OWAThe only real fault I know about is the fact that you can guesspasswords eternally without locking out user accounts. There's two sides to this risk. If you allow OWA logins to lock out accounts, and your OWA page is available from anywhere on the Internet, you are handing an easy DOS tool to anyone that knows the account names for people on your server.Perhaps. But a temporary lockout period would deter brute-force attempts while still making an attacker do some work to keep the accounts locked (eg, if you have a lockout of 5 minutes, brute forcing is no longer practical, but at the same time, if you want to DoS someone's account you have to keep coming back every 5 minutes. And that increases the risk you'll get caught.) -Brendan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Secure OWA, (continued)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 25)
- Re: Secure OWA Dimitri Limanovski (Aug 25)
- Re: Secure OWA Danny (Aug 25)
- Re: Secure OWA <...> (Aug 26)
- Re: Secure OWA Dude VanWinkle (Aug 26)
- Re: Secure OWA Adriel Desautels (Aug 26)
- Re: Secure OWA Dude VanWinkle (Aug 26)
- Re: Secure OWA Valdis . Kletnieks (Aug 26)
- Re: Secure OWA Dude VanWinkle (Aug 26)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 25)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 30)
- Re: Secure OWA Bardus Populus (Aug 30)
- Re: Secure OWA Mark Senior (Aug 30)
- Re: Secure OWA Brian Eaton (Aug 30)
- Re: Secure OWA Lohan Spies (Aug 31)