A brute force attack is the simplest, yet efficient way of gaining access to secured data by trying various username and password combinations over and over again. Since password policies applied in Active Directory often include locking an account after a certain number of failed login attempts, another goal that an attacker can pursue is to lock out AD user accounts.
For the reasons mentioned above, it is very important to protect your Active Directory from brute force attacks, especially, when you have a Web Interface accessible from the outside. In this tutorial, you will learn how to configure protection against brute force attacks for the Web Interface.
Open Adaxes Web Interface Configurator.
The permissions to configure the Web Interface are delegated via Security Roles. By default, only Service Administrators have the appropriate rights. To enable other users to configure the Web Interface, grant them the corresponding permissions.
In the top left corner, select the Web Interface you want to customize.
By default, all Web Interfaces use the Sign In settings of the Common Sign In page. If you want a particular Web Interface to have different settings, select it in the list. Otherwise, select Common Sign In.
In the left navigation menu, click Sign In.
Scroll down to the Brute Force Protection section.
Configure the following options:
Show captcha
When this option is enabled, the Web Interface will force users to solve a captcha (word verification image) after a certain number of failed login attempts.
Delay the response
When this option is enabled, after a certain number of failed login attempts, the Web Interface will delay the responses by several seconds.
Ask security question
When this option is enabled, the Web Interface will ask users to answer a question when they enter invalid credentials for a certain number of times. In the Question and Answer fields located below the option, you need to specify a question and the answer.
As an answer, you can specify a certain word or phrase known to users, for example, the name of the street where your company's headquarters is located. Alternatively, you can use value references (e.g. %department%) to specify an answer that will be specific to each user. Value references will be replaced with corresponding property values of the user account. For example, if you specify %department%, users will need to enter the name of their department specified in Active Directory to answer the question.
When a login error occurs, do not show the reason and the number of login attempts left
By default, when a user provides invalid credentials, the Web Interface shows a reason why a login attempt failed and the number of login attempts left according to the Active Directory password policy applied to the user. When this option is enabled, such information is not displayed.
Each failed attempt to login to the Web Interface is tracked by Adaxes. If the number of failed login attempts exceeds a certain threshold within a short period of time, to make further brute force login attempts less efficient, Adaxes adds an additional delay each time a user tries to log in.
As soon as the threshold is reached, a warning containing IP addresses of the hosts from where the most of suspicious activity originated is logged in Adaxes Event Log. Warning sample:
Too many failed login attempts to Web Interface SelfService. To protect you from a possible
brute force attack, all subsequent login attempts will be processed with a delay.
The most of failed login attempts originated from the following IPs:
fe80::1dbd:465e:5fe6:3ea4%5
106.22.56.42
2001::db8::a0b::12f0::2255
...
How to access the log.
If a failed login attempt was accidental, and there are no more failed attempts for the same username, password or IP address within a certain period of time, Adaxes removes it from the tracking system.