Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Lock a remote user account based on LDAP after X login failures.

Emerson_Juan_da
Nimbostratus
Nimbostratus

‎01-Jun-2021 05:43

In order to be compliance with PCI standars we have to apply a lock account after X login failures.

 

Our environment has two BIG IP VE - Adv WAF in Sync-Only mode and they are using remote authentication based on LDAP (Windows AD).

 

How can we achieve the desired state? Is it possible while using remote authentication?

 

We checked the article below, but it seems not to work for our scenario.

https://support.f5.com/csp/article/K15497

 

Thank you.

Labels:
0 Kudos
4 REPLIES 4

Nikoolayy1
MVP
MVP

‎01-Jun-2021 05:47

I think that your windows team can do this if you want to protect your F5 devices:

 

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold

 

 

 

 

For using the ASM to protect the websites use "brute force attack protection":

 

 

https://support.f5.com/csp/article/K54335130

0 Kudos

Emerson_Juan_da
Nimbostratus
Nimbostratus

‎01-Jun-2021 06:38

Hi Nikoolayy1,

 

Thank you for the answers provided previously.

 

We already tried to use "Account Lockout" policy on our Active Directory, but no luck with that since this policy applies only to computer and not users. May I know if it worked for you? Maybe we are configuring it wrongly.

 

Have a good one.

Emerson

0 Kudos

Nikoolayy1
MVP
MVP

‎01-Jun-2021 11:00

Aha you are having a complex issue. Except the windows to make a powershell script or other kind of automation that uses GPO policy after it sees n number of faulty attempts in the active directory logs I don't know any other way. This is an interesting article about this:

 

 

https://social.technet.microsoft.com/Forums/windowsserver/en-US/007db067-d0b6-4ee6-8fee-ae14e251a121/lock-ad-user?forum=winserverGP

0 Kudos

Emerson_Juan_da
Nimbostratus
Nimbostratus

‎09-Jun-2021 17:34

Nikoolayy1,

 

Thank you! I really appreciated your help on this. I am discussing what you have suggested internally with my team mates in order to check if it feasible.

 

Have a good one.

0 Kudos
Copyright © 2023 Khoros, LLC