When you login to OWA, you essentially log on to the domain you supplied and the logon occurs on the OWA server. The same domain policies apply, you do lock your password after unsuccessful attempts. In your environment maybe the logon does not occur at all. Something may be failing before a logon to the domain actually takes place. Can the user account you tested with actually logon properly with the correct password?
Serdar Soysal -----Original Message----- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:11 PM To: Exchange Discussions Subject: NT Account Lockout using OWA for Exchange 5.5 Good afternoon all: My boss as posed a good question to me and I have not been able to find the answer. The situation is this: We have OWA up for our users under Exchange 5.5. Using IE, the OWA browser interface will kick you out after three failed attempts to provide a proper userid/password combination. When kicked out multiple times using the same userid, the id is not locked in the domain. A security policy states that failed login attempts in excess of x attempts in y minutes will lock the account, but through OWA this does not seem to be happening. The question is this, given enough time, will a cracker be able to bruteforce the login through OWA without locking out the NT account in the domain. Thanks for any help in this. John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 >SELECT * FROM users WHERE clue >0 0 rows returned _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
