[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Secure OWA
- To: "Renshaw, Rick (C.)" <rrenshaw@xxxxxxxx>
- Subject: Re: [Full-disclosure] Secure OWA
- From: "Brendan Dolan-Gavitt" <mooyix@xxxxxxxxx>
- Date: Wed, 30 Aug 2006 09:57:43 -0400
On 8/30/06, Renshaw, Rick (C.) <rrenshaw@xxxxxxxx> wrote:
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Dude
VanWinkle
Sent: Saturday, August 26, 2006 2:30 PM
To: Adriel Desautels
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Secure OWA
> The only real fault I know about is the fact that you can guess passwords
eternally without locking out user accounts.
There's two sides to this risk. If you allow OWA logins to lock out
accounts, and your OWA page is available from anywhere on the Internet, you
are handing an easy DOS tool to anyone that knows the account names for
people on your server.
Perhaps. But a temporary lockout period would deter brute-force
attempts while still making an attacker do some work to keep the
accounts locked (eg, if you have a lockout of 5 minutes, brute forcing
is no longer practical, but at the same time, if you want to DoS
someone's account you have to keep coming back every 5 minutes. And
that increases the risk you'll get caught.)
-Brendan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/