Prevent Brute Force Attacks


A brute force attack is the simplest, yet efficient way of gaining access to secured data by trying various username and password combinations over and over again. Since password policies applied in Active Directory often include locking an account after a certain number of failed login attempts, another goal that an attacker can pursue is to lock out AD user accounts.

For the reasons mentioned above, it is very important to protect your Active Directory from brute force attacks, especially, when you have a Web Interface accessible from the outside. In this tutorial, you will learn how to configure protection against brute force attacks for the Web Interface.

  1. Open Adaxes Web Interface Configurator.

    • On a computer, where Web Interface Configurator is installed, open the Start menu.
    • On the Start menu, select Adaxes Web Interface Configurator.

    The permissions to configure the Web Interface are delegated via Security Roles. By default, only Service Administrators have the appropriate rights. To enable other users to configure the Web Interface, grant them the corresponding permissions.

    • In Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.
    • Enter a name for the new Security Role and click Next.
    • On the Permissions page, click the arrow inside the Add button and select Configure Web Interface.
    • Click Next and follow the steps in the wizard.
  2. In the top left corner, select the Web Interface you want to customize.

    By default, all Web Interfaces use the Sign In settings of the Common Sign In page. If you want a particular Web Interface to have different settings, select it in the list. Otherwise, select Common Sign In.

  3. In the left navigation menu, click Sign In.

  4. Scroll down to the Brute Force Protection section.

    Configure the following options:

    • Show captcha

      When this option is enabled, the Web Interface will force users to solve a captcha (word verification image) after a certain number of failed login attempts.

    • Delay the response

      When this option is enabled, after a certain number of failed login attempts, the Web Interface will delay the responses by several seconds.

    • Ask security question

      When this option is enabled, the Web Interface will ask users to answer a question when they enter invalid credentials for a certain number of times. In the Question and Answer fields located below the option, you need to specify a question and the answer.

      As an answer, you can specify a certain word or phrase known to users, for example, the name of the street where your company's headquarters is located. Alternatively, you can use value references (e.g. %department%) to specify an answer that will be specific to each user. Value references will be replaced with corresponding property values of the user account. For example, if you specify %department%, users will need to enter the name of their department specified in Active Directory to answer the question.

      • %adm-ManagerFullName% - users will need to enter the full name of their manager.
      • %extensionAttribute1% - users will need to specify the text stored in the Extension Attribute 1 property of their account.
      • %employeeID%%telephoneNumber,6% - users will need to provide their employee ID and the first 6 digits of their telephone number.

      If you use a value reference as the answer, and the corresponding property of the user account is empty, no answer will be accepted as correct.
    • When a login error occurs, do not show the reason and the number of login attempts left

      By default, when a user provides invalid credentials, the Web Interface shows a reason why a login attempt failed and the number of login attempts left according to the Active Directory password policy applied to the user. When this option is enabled, such information is not displayed.

  5. Save the changes.

Tracking

Each failed attempt to login to the Web Interface is tracked by Adaxes. If the number of failed login attempts exceeds a certain threshold within a short period of time, to make further brute force login attempts less efficient, Adaxes adds an additional delay each time a user tries to log in.

As soon as the threshold is reached, a warning containing IP addresses of the hosts from where the most of suspicious activity originated is logged in Adaxes Event Log. Warning sample:

Too many failed login attempts to Web Interface SelfService. To protect you from a possible brute force attack, all subsequent login attempts will be processed with a delay.
The most of failed login attempts originated from the following IPs:
fe80::1dbd:465e:5fe6:3ea4%5
106.22.56.42
2001::db8::a0b::12f0::2255
...

How to access the log.

  • Open the Event Viewer on the computer where the Web Interface is installed.
    • Press Win+R.
    • Type eventvwr.msc.
    • Press Enter.
  • In the Event Viewer console tree, locate and click Adaxes.

If a failed login attempt was accidental, and there are no more failed attempts for the same username, password or IP address within a certain period of time, Adaxes removes it from the tracking system.

Open tutorial filtering

Got questions?
Support Forum