Forum Discussion

Sani's avatar
Sani
Icon for Nimbostratus rankNimbostratus
Feb 28, 2017

ASM Brute Force Protection for Micro-Soft ActiveSync

Hello All,

 

I have configured F5 ASM Brute force Protection for Microsoft-Server-ActiveSync URL using the session based mitigation method with "Login Attempts form Same Client" value set to 2.

 

I have tried to brute force into this URL using Burp tool with a username and multiple wrong passwords and could see that ASM is blocking the request for Authentication after 2 failed Attempts and the User accounts are not getting Locked out in Active Directory because ASM is blocking the authentication request to reach the Server

 

But when I have tried to do the same using mobile setting up an active-Sync account and trying to authenticate multiple attempts with wrong passwords for the same username, the account is getting locked out in Active Directory, because ASM is not able to detect this as Brute Force login Attempt and will pass the request all the way to the server.

 

I am here trying to understand the difference between a manual attempt using a Mobile Active-Sync account and using a automated Brute Force Login Script. The only one possibility I could think of is that, it might be initiating different connection to the System each time we try to authenticate using the Mobile Active-Sync account, where as in the case of script we might be going over the same session and getting blocked by ASM brute Force Protection feature.

 

Can someone help me understand this behavior and how to solve this using ASM, as this is very much impacting one of our user account.

 

Best Regards, Saneesh

 

1 Reply

  • I am not a Mobile ActiveSync expert, but it looks like the mobile client is using different URL or username parameter. You need to figure out the difference between a web and mobile client requests by looking at the request logs in ASM and adjust your ASM policy accordingly