Active Directory management & automation

Tutorials

Prevent Brute Force Attacks

A brute force attack is the simplest, yet efficient way of gaining access to secured data by trying various username and password combinations over and over again. Since password policies applied in Active Directory often include locking an account after a certain number of failed login attempts, another goal that an attacker can pursue is to lock out AD user accounts, especially important system and administrative accounts.

For the reasons mentioned above, it is very important to protect your Active Directory from brute force attacks, especially, when you make it accessible from the outside by installing Adaxes Web Interface in the DMZ. In this tutorial, you will learn how to configure protection against brute force attacks aimed at the Web Interface.

On the computer, where the Web Interface is installed, start the Web Interface Customization tool.


In the Interface type drop-down list, select the Web Interface that you want to configure.


Activate the Sign In tab.

Click Configure Protection Options.

Configure the brute force protection options in the dialog box that appears.

Option Description
Enable brute force attack protection Enables or disables protection against brute force login attempts.
Show captcha When this option is enabled, the Web Interface will force users to solve a captcha (word verification image) after a certain number of failed login attempts. The number of login attempts is specified in the associated edit box.
Delay response When this option is enabled, after a certain number of failed login attempts, the Web Interface will delay the response by several seconds. The number of login attempts is specified in the associated edit box.
When a login error occurs, do not show the reason and the number of login attempts left By default, when a user provides invalid credentials, the Web Interface shows a reason why a login attempt failed and the number of login attempts left as allowed by the Active Directory password policy applied to the user. When this option is enabled, such information is not displayed.
Ask security question

When this option is enabled, the Web Interface will force users to answer a question when they enter invalid credentials for a certain number of times. The number of login attempts is specified in the associated edit box. In the Question and Answer fields located below the option, you need to specify a question that will be used to verify a user's identity, and a valid answer.

As an answer, you can specify a certain word or phrase known to users, for example, the name of the street where your company's headquarters is located. Alternatively, you can use value references (e.g. %department%) to specify an answer that will be specific to each user. Value references will be replaced with the values of the corresponding properties of the user accounts. For example, if you specify %department%, users will need to enter the name of their department specified in Active Directory to answer the question.

More examples

  • %adm-ManagerFullName% - users will need to enter the full name of their manager.
  • %extensionAttribute1% - users will need to specify the text stored in the Extension Attribute 1 property of their user account.
  • %employeeID%,%telephoneNumber,6% - users will need to provide their employee ID and the first 6 digits of their telephone number separated by a comma.

If you use a value reference for an answer, and the corresponding property of a user is not specified in AD, an empty answer will be accepted as correct.
When finished, click OK, and then Apply.

Protection Against Massive Brute Force Attacks

Each failed attempt to login to the Web Interface is tracked by Adaxes. If the number of failed login attempts exceeds a certain threshold within a short period of time, to make further brute force login attempts less efficient, Adaxes adds an additional delay each time a user tries to log in.

How do I know the IP addresses from where suspicious activity originated?

As soon as the threshold is reached, a warning containing IP addresses of the hosts from where the most of suspicious activity originated is logged in Adaxes Event Log. Warning sample:

Too many failed login attempts to Web Interface SelfService. To protect you from a possible brute force attack, all subsequent login attempts will be processed with a delay.
The most of failed login attempts originated from the following IPs:
fe80::1dbd:465e:5fe6:3ea4%5
106.22.56.42
2001::db8::a0b::12f0::2255
...

How to access the log.

  • Open the Event Viewer on the computer where the Web Interface is installed.

    How

    • Press Win+R.
    • Type eventvwr.msc.
    • Press Enter.
  • In the Event Viewer console tree, locate and click the item called Adaxes.

If a failed login attempt was accidental, and the same username, password or IP address do not have any more failed logins within a certain time period, Adaxes removes it from the tracking system and does not take it into account any more.

You can configure the following:

Change the number of failed logins that trigger the delay

The default number of login attempts is 10,000. To change it:

  • Close the Web Interface Customization tool.
  • Locate the Web.config file on the computer where the Web Interface is installed. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>.
  • Open the Web.config file with a text editor.
  • Add the invalidLoginWarningLimit attribute to XML element configuration\softerra.adaxes\web.ui\bruteForceProtection. In the example below, additional delay will be added after 1,000 unsuccessful login attempts. 
    <configuration>
  ...
  <softerra.adaxes>
    ...
    <web.ui ...>
      ...
      <bruteForceProtection ... invalidLoginWarningLimit="1000" />

Change the time period after which a failed login is considered to be accidental

By default, a failed login attempt is considered accidental if there are no more failed logins with the same username, password or originating from the same IP address within 30 minutes. To change the time period:

  • Close the Web Interface Customization tool.
  • Locate the Web.config file on the computer where the Web Interface is installed. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>.
  • Open the Web.config file with a text editor.
  • Add the invalidAttemptIdleLifetime attribute to XML element configuration\softerra.adaxes\web.ui\bruteForceProtection. In the example below, an attempt will be considered to be accidental after 15 minutes. 
    <configuration>
  ...
  <softerra.adaxes>
    ...
    <web.ui ...>
      ...
      <bruteForceProtection ... invalidAttemptIdleLifetime="15" />

Change how often accidental failed logins are removed from the system

By default, accidental failed login attempts are removed each 30 minutes. To change the schedule:

  • Close the Web Interface Customization tool.
  • Locate the Web.config file on the computer where the Web Interface is installed. By default, it is located in folder C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>.
  • Open the Web.config file with a text editor.
  • Add the invalidAttemptsCleanupPeriod attribute to XML element configuration\softerra.adaxes\web.ui\bruteForceProtection. In the example below, accidental failed logins will be removed each 15 minutes. 
    <configuration>
  ...
  <softerra.adaxes>
    ...
    <web.ui ...>
      ...
      <bruteForceProtection ... invalidAttemptsCleanupPeriod="15" />
back to top

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Allow managers to manage their teams
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs
Grant permissions to perform Exchange tasks
Grant permissions to perform Office 365 management tasks

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailbox creation for new users
Automate Exchange mailbox configuration
Automatically assign Office 365 Licenses
Automatically enable users for Lync
Schedule tasks for AD management
Automatically set profile path for Remote Desktop Services
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating user full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for new users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Remote Desktop Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning
Manage and automate Office 365
Group AD objects based on logged in user

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Configure Exchange tasks
Configure password reset
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Customize Help and Support links
Prevent brute force attacks

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts
Request approval for Self-Password Reset
? Waiting

Progress status: Checking...

Information

Open Live Demo