Forum Discussion

Vsevolod_Petrov's avatar
Vsevolod_Petrov
Icon for Cirrostratus rankCirrostratus
May 19, 2014

OWA bruteforce protection with ASM

Hi,

 

Have you ever tried to protect MS Outlook Web Access login page with ASM? I'm trying to set up brute force protection but don't have any luck.

 

I made a login page with the following parameters:

 

Login URL       Explicit HTTPS /owa/auth.owa
Authentication Type HTML Form
Username Parameter Name username
Password Parameter Name password
Expected HTTP response status code 302

With this configuration I can see all requests including usernames in the Event Viewer. I expected that after enabling brute force protection for my login page I will have this page protected. But I don't.

 

Could you please share with me your experience?

 

    • Vsevolod_Petrov's avatar
      Vsevolod_Petrov
      Icon for Cirrostratus rankCirrostratus
      Session based brute force parameters are set to allow maximum of 2 login attempts and timeout 30 seconds. Maybe I should try dynamic protection.
  • Hm.. it seems that dynamic protection wasn't designed to solve this.

     

    I still need to configure Session-based Brute Force Protection.

     

    I didn't have such problems with other applications than Microsoft. Every time brute force protections was working as expected.

     

    Your assistance is much appreciated.

     

  • I've found that if I change the value of "Login Attempts From The Same Client" parameter to 1 I will have my OWA login page blocked after 3-4 of log in attempts.

    And in this case Event Viewer shows the following violation:

    Brute Force: Maximum login attempts are exceeded
    Number of Login Attempts    1
    

    But again I made 3-4 attempts.

    As I can see such behaviour is not a BIG-IP issue but characteristic of OWA login procedure.

    That's why I'm asking for a best practice for this kind of task.

    Or all I need just use APM in this case?