Running an active event log monitor (Symantec's ITA comes to mind as a quick example) will catch both the brute forcer and/or the lockouts (regardless of which way you set it up - to lock or not) - and respond with some appropriate action to notify you as to the happenstance rather than wait for an admin to review the logs (n)ever.
(bp) > On 8/30/06, Renshaw, Rick (C.) <[EMAIL PROTECTED]> wrote: >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Dude >> VanWinkle >> Sent: Saturday, August 26, 2006 2:30 PM >> To: Adriel Desautels >> Cc: [email protected] >> Subject: Re: [Full-disclosure] Secure OWA >> >> > The only real fault I know about is the fact that you can guess >> passwords >> eternally without locking out user accounts. >> >> There's two sides to this risk. If you allow OWA logins to lock out >> accounts, and your OWA page is available from anywhere on the Internet, >> you >> are handing an easy DOS tool to anyone that knows the account names for >> people on your server. >> > > Perhaps. But a temporary lockout period would deter brute-force > attempts while still making an attacker do some work to keep the > accounts locked (eg, if you have a lockout of 5 minutes, brute forcing > is no longer practical, but at the same time, if you want to DoS > someone's account you have to keep coming back every 5 minutes. And > that increases the risk you'll get caught.) > > -Brendan > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
