question

Ash73-0145 avatar image
0 Votes"
Ash73-0145 asked ·

On Premise OWA Brute force Protection

Hi, please can someone advise if a owa captcha can be setup on exchange 2016, or the best way to lock out the user account after 4 incorrect logon attempts on owa (on prem) - cant see it in active directory? This has been brought more in to focus after the recent Microsoft exchange vulnerability with brute force attacks now more of a concern on owa / mobile active synch.

Thanks

windows-server-securityoffice-exchange-server-itpro
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

OWA with VPN access would probably make the most sense financially if you already have a VPN solution. Do that and block 443 externally and you should be pretty secure.

Any other solution would require Azure / 365 licensing, yes.

Or 3rd party licensing for any integrated MFA solution with ADFS.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Not possible natively.
Look at using ADFS with OWA:
https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019

and then setting the Extranet Smart Lockout to stop these:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

Really though, a Multi-Factor solution integrated with that is the best solution.
You can leverage 3rd party MFA or use Azure:

https://docs.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ash73-0145 avatar image
0 Votes"
Ash73-0145 answered ·

Thanks Andy,

Would we need to purchase the office 365 email / exchange package for this. Licensing is currently for on-prem. so don't want to go for a full online solution just yet.

Or should we just use owa with vpn access. Owa is currently accessible externally on 443

cheers
Ash

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.