[unisog] AD and LDAP provider (account lockouts)

David Seidl dseidl at nd.edu
Wed Aug 1 19:25:51 GMT 2007


Michael,

I've tended to see this implemented at the web server end of things -
any web application that gets built in hours gets appropriate controls
to prevent brute forcing built into it. The web programmers tended to
pick up on the idea and build a standard framework to plug their new
apps into pretty quickly. We also used back-off algorithms to prevent
brute forcing of web apps that needed to do a hard lockout of users
after failed password attempts - typically back-offs would be combined
with log analysis to catch low and slow crack attempts.

The gotcha is third party applications that do not have any sort of
intelligent back-off or retry limitations in them. Your solution then is
limited to log analysis, building something to sit in front, or not
using the application.

David

------------------------------------------------------------
David Seidl, CISSP
University of Notre Dame, Office of Information Technologies

Michael Holstein wrote:
> Let's say one has an application that does a test LDAP bind to 
> authenticate a user to an external application.
> 
> LDAP is on Active Directory.
> 
> I've noticed that LDAP "password failures" do NOT increment the 
> "Incorrect Attempt" counter in AD like ADSI/SMB attempts do.
> 
> How are others preventing "password grinding" against external webapps 
> that use LDAP on the backend (where $backend is AD)?
> Is there some simple registry hack that overcomes this (I checked all 
> the security templates from Microsoft's "hardening" guidelines, and 
> found no solace there).
> 
> (I've googled this extensively, and found no conclusive answer to this, 
> other than to use a "normal" LDAP provider like SunOne, etc).
> 
> Thanks,
> 
> Michael Holstein
> Cleveland State Unviersity
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3263 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20070801/de7e6fa2/attachment.bin 


More information about the unisog mailing list