Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] Secure OWA

from [Renshaw, Rick \(C.\)] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] Secure OWA
Date: Wed, 30 Aug 2006 11:00:18 -0400 
-----Original Message-----
From: Brendan Dolan-Gavitt [mailto:mooyix@gmail.com] 
Sent: Wednesday, August 30, 2006 9:58 AM
To: Renshaw, Rick (C.)
Cc: Dude VanWinkle; Adriel Desautels; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Secure OWA


On 8/30/06, Renshaw, Rick (C.) <rrenshaw@ford.com> wrote:



-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Dude 
VanWinkle
Sent: Saturday, August 26, 2006 2:30 PM
To: Adriel Desautels
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Secure OWA


The only real fault I know about is the fact that you can guess 
passwords

eternally without locking out user accounts.

There's two sides to this risk.  If you allow OWA logins to lock out 
accounts, and your OWA page is available from anywhere on the 
Internet, you are handing an easy DOS tool to anyone that knows the 
account names for people on your server.




Perhaps. But a temporary lockout period would deter brute-force attempts
while still making an attacker do some work to keep the accounts locked
(eg, if you have a lockout of 5 minutes, brute forcing is no longer 
practical, but at the same time, if you want to DoS someone's account 
you have to keep coming back every 5 minutes. And that increases the 
risk you'll get caught.)



-Brendan


My point was not matter which way you go on this issue, there is some risk.
The only thing that you can do is balance one risk against the other and
find the point where you feel comfortable with the risks.  You could
implement something like an exponential backoff wait between failed logins
without lockouts, which would make it more difficult to brute-force the
account, but there are ways around that too.  At the end of the day, you
have to pick which risk you are more comfortable dealing with, brute-force
attacks or DOS attacks.  Personally, I'd take the DOS, because it's better
than allowing passwords to be brute-forced (in my mind).

Rick

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment, cardoso
Next by Date:  Re: [Full-disclosure] Secure OWA, Bardus Populus
Previous by Thread:  Re: [Full-disclosure] Secure OWA, Brian Eaton
Next by Thread:  RE: [Full-disclosure] Secure OWA, Fetch, Brandon
Indexes:  [Date] [Thread] [Top] [All Lists]