[unisog] AD and LDAP provider (account lockouts)

David Seidl dseidl at nd.edu
Wed Aug 1 19:25:51 GMT 2007


I've tended to see this implemented at the web server end of things -
any web application that gets built in hours gets appropriate controls
to prevent brute forcing built into it. The web programmers tended to
pick up on the idea and build a standard framework to plug their new
apps into pretty quickly. We also used back-off algorithms to prevent
brute forcing of web apps that needed to do a hard lockout of users
after failed password attempts - typically back-offs would be combined
with log analysis to catch low and slow crack attempts.

The gotcha is third party applications that do not have any sort of
intelligent back-off or retry limitations in them. Your solution then is
limited to log analysis, building something to sit in front, or not
using the application.


David Seidl, CISSP
University of Notre Dame, Office of Information Technologies

Michael Holstein wrote:
> Let's say one has an application that does a test LDAP bind to 
> authenticate a user to an external application.
> LDAP is on Active Directory.
> I've noticed that LDAP "password failures" do NOT increment the 
> "Incorrect Attempt" counter in AD like ADSI/SMB attempts do.
> How are others preventing "password grinding" against external webapps 
> that use LDAP on the backend (where $backend is AD)?
> Is there some simple registry hack that overcomes this (I checked all 
> the security templates from Microsoft's "hardening" guidelines, and 
> found no solace there).
> (I've googled this extensively, and found no conclusive answer to this, 
> other than to use a "normal" LDAP provider like SunOne, etc).
> Thanks,
> Michael Holstein
> Cleveland State Unviersity
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3263 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20070801/de7e6fa2/attachment.bin 

More information about the unisog mailing list