LockoutGuard
Protect AD accounts from Extranet attacks
Copyright ©2008
Collective Software, LLC
Extranet Publishing with ISA
OWA
Web apps
Users
Publish
ISA
Pre-Authentication
Users
--LAN--

Active Directory used for authentication

LAN users connect directly

Internet users pre-authenticate at ISA
AD Lockout: Good
Bad pass count
for user 'ceo'
0
1
2
3
Lockout!
DC
ISA
Pre-Authentication
--LAN--


Attacker
user: ceo, pass: guess?
user: ceo, pass: secret?
user: ceo, pass: brute?
user: ceo, pass: force?
Attacker tries to guess / brute-force passwords
This type of attack is thwarted by AD account
lockout
AD Lockout: Bad
user 'ceo':
Locked out!
DC
ISA
Real user 'ceo'
--LAN--


Pre-Authentication
Attacker
user: ceo, pass: guess?
user: ceo, pass: secret?
user: ceo, pass: brute?
user: ceo, pass: force?
This also causes the user to be locked out on
the LAN
Just a nuissance? Help desk can reset lockout
AD Lockout: Really Bad
users
Locked out!
DC
ISA
Pre-Authentication
Real users


--LAN--
Attacker
user1...
user2...
user3...
user4...
An attacker that knows (or guesses) many
accounts can lock them all out this way
Repeatedly! Now it's a Denial of service
Problem analysis



Access from the Internet is useful but presents
an easy attack surface
A Lockout policy is needed to prevent password
attacks
Any anonymous Internet connection can lock
out user accounts at will
Is there an easy fix?





Given single factor authentication, lockout is the
only feasible solution
But! We can stop Internet users with a “soft”
lockout (e.g. after 3 bad passwords)
Before the Active Directory “hard” lockout (e.g.
after 5 bad passwords)
As with AD lockout, there is no indication to the
user
This helps thwart “low and slow” attackers
LockoutGuard
DC
ISA
Attacker
LockoutGuard
with threshold: 3
Real user 'ceo'
--LAN--


user: ceo, pass: guess?
user: ceo, pass: secret?
user: ceo, pass: brute?
user: ceo, pass: force?
user: ceo, pass: aaaa?
After the LockoutGuard threshold (configurable)
authentication requests stop going to DC
Internet users are now “locked out” but LAN
users are not affected!
Pros / Cons

Easy, fast and inexpensive to implement!

Doesn't add any adverse effects


Only helps on the LAN, the real user is still
locked out of the Extranet
Multi-factor authentication would be better!
(Such as AuthLite by Collective Software)