Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Information

Status
Not open for further replies.
DirtyB

DirtyB

Programmer
Joined
Mar 13, 2001
Messages
159
Location
US
This question may not fully apply here, but i've already posted it in .asp forums and no one seems to know the answer. So, here it is:

I have some asp pages on IIS that use DLL's to get domain information on a user in order to log the user into this application. The DLL simply queries the domain and asks if this username is an active member of the domain, and if the password matches. Very simple. However, this leaves us succeptable to brute force attacks. Meaning that we have no way to "write" to the domain information to lock a user out after three unsuccessfull attempts. So my question is this: is there a way/how is it done to lock a user account from a DLL or from and ASP page? Does anyone know how this is done?

Any help is much appreciated.

Thank You
 
Sort by date Sort by votes
HI!

You have not mentioned if you're using NT or 2000 (or other) IIS server.

Anyway, both have an option to lock a user account after pre-configured times.
In NT, go to User Manager - Policies - Account.
In 2000, it is in the Group Policy, Depending if using AD or not.

I don't know of a way to distinguish between a user using IIS or a user authenticating "normally", but you may set up 5 chances to put the correct password and then lockout.

A downside of this is that a malicious attacker can lock down legitimate accounts. I don't know of any solution for that.

There are other solutions, depending on your specific configuration.
Consult a security expert about this if important to you.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
If I understand correctly the asp is not actually logging the user in more just querying the SAM. If this is the case it would not lock it out. I would suggest looking into some kind of tac-acs server.
 
Upvote 0 Downvote
I have a problem logging onto the BDC domain. Currently I have a BDC, IIS SRV and a NT Srv. I had no problems joining the IIS Srv to the BDC but for the NT Srv it cannot find the domain. When I right click Network Neighborhood and go to properties and try to join. The message I get is that it can not find the domain. Servers are linked up to a Fast Ethernet Switch. For the NT SRV I don't have a solid green but rather blinking green lights (should that be a problem). Than it could be a connectivity issue. Any suggestions will be helpful.

Thanks
 
Upvote 0 Downvote
yonsej93,

sorry but i think u cannot make any changes to the SAM w/o a PDC including adding and removing servers and domain members. accdg to ur post, u have a BDC but no PDC. is that right?
Jeffrey Rebong
Computer Engineer/Network Administrator
jrtech@email.com
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question Question
Domain Admin Logon
Replies
2
Views
562
ADB100
ADB100
fredmartinmaine
  • Locked
  • Question Question
Domain Controller without DNS Server
Replies
4
Views
1K
fredmartinmaine
fredmartinmaine
froggy8
  • Locked
  • Question Question
cant add my windows 7 pc to my domain
Replies
3
Views
474
hairlessupportmonkey
hairlessupportmonkey
Till
  • Locked
  • Question Question
Domain Admin Login Mail Notification
Replies
1
Views
487
technome
technome

Part and Inventory Search

Sponsor

Back
Top