[unisog] AD and LDAP provider (account lockouts)
Stasiniewicz, Adam
stasinia at msoe.edu
Sun Aug 5 03:39:28 GMT 2007
Hi Michael,
I have seen this bug before. I know Microsoft has a hot fix for it. But I
can't find it on their website. The one workaround I know of is to use DNs
instead of UPNs as the username during the LDAP bind process (if your users
are in more than one container, then your apps will need to first do a
search for that user's DN). Otherwise, you can call PSS and they should be
able to give you the hot fix.
Regards,
Adam Stasiniewicz
-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Holstein
Sent: Wednesday, August 01, 2007 8:28 AM
To: UNIversity Security Operations Group
Subject: [unisog] AD and LDAP provider (account lockouts)
Let's say one has an application that does a test LDAP bind to
authenticate a user to an external application.
LDAP is on Active Directory.
I've noticed that LDAP "password failures" do NOT increment the
"Incorrect Attempt" counter in AD like ADSI/SMB attempts do.
How are others preventing "password grinding" against external webapps
that use LDAP on the backend (where $backend is AD)?
Is there some simple registry hack that overcomes this (I checked all
the security templates from Microsoft's "hardening" guidelines, and
found no solace there).
(I've googled this extensively, and found no conclusive answer to this,
other than to use a "normal" LDAP provider like SunOne, etc).
Thanks,
Michael Holstein
Cleveland State Unviersity
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3192 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070804/f7112d85/attachment.bin
More information about the unisog
mailing list