ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to Prevent Denial of Service (DoS) Attacks against Active Directory?


Newbie

Posts: 1
Date: Aug 5, 2013
How to Prevent Denial of Service (DoS) Attacks against Active Directory?
Permalink  
 


Hello Everyone,

I would like some help on better understanding how we can prevent the occurence of Denial of Service (DoS) Attacks against our Active Directory deployments. (We havd 2 production AD environments, each is its own forest, one being our main internal corporate AD, and the other being an AD in the DMZ to support our corporate site.)

(By way of backgroud, we are in the midst of evaluating internal controls for the adequate protection of our core identity infrastructure, and AD being the core of our identity management, we have been asked to look at al risks to which our AD might be exposed.)

In our research, (primarily Microsoft's security whitepaper on Active Directory security), it seems that one of the potential attack vectors to plan for is denial-of-service attacks. We are not so concerned with the simple TCP SYN/ACK type DoS attacks being launched on our internal AD because only internal employees have access to it, and its behind our corporate firewall.

However, we are concerned about things like malware trying to engage in automated password guessing, resulting in accounts being locked out, thus causing a DoS for the target user, in that the user would not be able to logon without an admin unlocking his/her account.

In the hypothetical situation wherein an outsider might be able to access our internal corporate newtork and engage in similar password guessing attacks, we're trying to determine what might be a realistic measure to try and prevent such DoS attacks against our Active Directory accounts.

The usual Account Lockout Policy and Password Policy settings recommendation is already being considered, but if there are any other ideas or things we should be thinking about, it would be helpful to know, so I thought I'd invite any thoughts/suggestions.

Thoughts? Suggestions?

Thanks,

Staphane.



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me