On 8/30/06, Renshaw, Rick (C.) wrote:
> There's two sides to this risk. If you allow OWA logins to lock out accounts, and your OWA page is available from anywhere on the Internet, you are handing an easy DOS tool to anyone that knows the account names for people on your server.
I think a possibly better approach, although it doesn't seem like you could implement it quite as simply as account lockouts, would be to lock out, not the account, but the originating IP address, for a duration. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
