UAG protection against distributed brute force RRS feed

  • Question

  • UAG can be configured to block a user for a specific time period after a defined number of unsuccessful login attempts. However, this setting applies to a particular session (based on cookie). To test this, I blocked my account by providing incorrect credentials. Then I closed the browser session and open a new browser session. I was able to do attempt logging in again. So, if a brute force was attempted from 10 different computers at the same time, blocking settings would apply individually to each session, causing more failed authentication requests to go to the back-end A/D that will result in account lockout. As an example, let us suppose we have UAG set to block a user for 10 minutes after 3 unsuccessful attempts and A/D is configured to lock an account after 5 unsuccessful attempts. Now, logging in with incorrect credentials is attempted at the same time from two computers. Three attempts from computer 1 and three attempts from computer 2 will reach the A/D before each of these sessions are blocked by UAG, and this will cause the account to be locked in A/D. Is there a way to configure UAG so that it can block a user account irrespective of the https session, maybe after higher number of failed attempts as compared to one single session? The UAG account blocking and A/D account locking work fine together when we assume that logging in will be attempted from only one computer, but it does not serve the purpose if a distributed brute force is attempted. Is there a way to protect against this?
    Thursday, May 24, 2012 1:12 PM

All replies