Active Directory management & automation

Prevent Brute Force Attacks

A brute force attack is the simplest, yet efficient way of gaining access to secured data by trying various username and password combinations over and over again. Since password policies applied in Active Directory often include locking an account after a certain number of failed login attempts, another goal that an attacker can pursue is to lock out AD user accounts, especially important system and administrative accounts.

For the reasons mentioned above, it is very important to protect your Active Directory from brute force attacks, especially, when you make it accessible from the outside by installing Adaxes Web Interface in the DMZ. In this tutorial, you will learn how to configure protection against brute force attacks aimed at the Web Interface.

On the computer, where the Web Interface is installed, start the Web Interface Customization tool.


In the Interface type drop-down list, select the Web Interface that you want to configure.


Activate the Sign In tab.

Click Configure Protection Options.

Configure the brute force protection options in the dialog box that appears.

Option Description
Enable brute force attack protection Enables or disables protection against brute force login attempts.
Show captcha When this option is enabled, the Web Interface will force users to solve a captcha (word verification image) after a certain number of failed login attempts. The number of login attempts is specified in the associated edit box.
Delay response When this option is enabled, after a certain number of failed login attempts, the Web Interface will delay the response by several seconds. The number of login attempts is specified in the associated edit box.
When a login error occurs, do not show the reason and the number of login attempts left By default, when a user provides invalid credentials, the Web Interface shows a reason why a login attempt failed and the number of login attempts left as allowed by the Active Directory password policy applied to the user. When this option is enabled, such information is not displayed.
Ask security question

When this option is enabled, the Web Interface will force users to answer a question when they enter invalid credentials for a certain number of times. The number of login attempts is specified in the associated edit box. In the Question and Answer fields located below the option, you need to specify a question that will be used to verify a user's identity, and a valid answer.

As an answer, you can specify a certain word or phrase known to users, for example, the name of the street where your company's headquarters is located. Alternatively, you can use value references (e.g. %department%) to specify an answer that will be specific to each user. Value references will be replaced with the values of the corresponding properties of the user accounts. For example, if you specify %department%, users will need to enter the name of their department specified in Active Directory to answer the question.

More examples

  • %adm-ManagerFullName% - users will need to enter the full name of their manager.
  • %extensionAttribute1% - users will need to specify the text stored in the Extension Attribute 1 property of their user account.
  • %employeeID%,%telephoneNumber,6% - users will need to provide their employee ID and the first 6 digits of their telephone number separated by a comma.

If you use a value reference for an answer, and the corresponding property of a user is not specified in AD, an empty answer will be accepted as correct.
When finished, click OK, and then Apply.


Protection Against Massive Brute Force Attacks

Each failed attempt to login to the Web Interface is tracked by Adaxes. If the number of failed login attempts exceeds a certain threshold within a short period of time, to make further brute force login attempts less efficient, Adaxes adds an additional delay each time a user tries to log in.

How do I know the IP addresses from where suspicious activity originated?

As soon as the threshold is reached, a warning containing IP addresses of the hosts from where the most of suspicious activity originated is logged in Adaxes Event Log. Warning sample:

Too many failed login attempts to Web Interface SelfService. To protect you from a possible brute force attack, all subsequent login attempts will be processed with a delay.
The most of failed login attempts originated from the following IPs:
fe80::1dbd:465e:5fe6:3ea4%5
106.22.56.42
2001::db8::a0b::12f0::2255
...

How to access the log.

  • Open the Event Viewer on the computer where the Web Interface is installed.

    How

    • Press Win+R.
    • Type eventvwr.msc.
    • Press Enter.
  • In the Event Viewer console tree, locate and click the item called Adaxes.

If a failed login attempt was accidental, and the same username, password or IP address do not have any more failed logins within a certain time period, Adaxes removes it from the tracking system and does not take it into account any more.

You can configure the following:

Change the number of failed logins that trigger the delay

The default number of login attempts is 10,000. To change it:

  • Close the Web Interface Customization tool.
  • Locate the Web.config file on the computer where the Web Interface is installed. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>.
  • Open the Web.config file with a text editor.
  • Add the invalidLoginWarningLimit attribute to XML element configuration\softerra.adaxes\web.ui\bruteForceProtection. In the example below, additional delay will be added after 1,000 unsuccessful login attempts.
    <configuration>
      ...
      <softerra.adaxes>
        ...
        <web.ui ...>
          ...
          <bruteForceProtection ... invalidLoginWarningLimit="1000" />
    

Change the time period after which a failed login is considered to be accidental

By default, a failed login attempt is considered accidental if there are no more failed logins with the same username, password or originating from the same IP address within 30 minutes. To change the time period:

  • Close the Web Interface Customization tool.
  • Locate the Web.config file on the computer where the Web Interface is installed. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>.
  • Open the Web.config file with a text editor.
  • Add the invalidAttemptIdleLifetime attribute to XML element configuration\softerra.adaxes\web.ui\bruteForceProtection. In the example below, an attempt will be considered to be accidental after 15 minutes.
    <configuration>
      ...
      <softerra.adaxes>
        ...
        <web.ui ...>
          ...
          <bruteForceProtection ... invalidAttemptIdleLifetime="15" />
    

Change how often accidental failed logins are removed from the system

By default, accidental failed login attempts are removed each 30 minutes. To change the schedule:

  • Close the Web Interface Customization tool.
  • Locate the Web.config file on the computer where the Web Interface is installed. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>.
  • Open the Web.config file with a text editor.
  • Add the invalidAttemptsCleanupPeriod attribute to XML element configuration\softerra.adaxes\web.ui\bruteForceProtection. In the example below, accidental failed logins will be removed each 15 minutes.
    <configuration>
      ...
      <softerra.adaxes>
        ...
        <web.ui ...>
          ...
          <bruteForceProtection ... invalidAttemptsCleanupPeriod="15" />
            
? Waiting

Progress status: Checking...