Restricting Logons to LDAP Servers

P&M provides protection against users who try to access secured areas by means of password-guessing attacks. You can distinguish these attacks from the inevitable and innocent forgotten password logons by setting a limit to the number of failed logons that is high enough to not exclude the innocent user, and low enough to thwart the malicious user.

For a given Membership Server instance of the Site Server LDAP Service, restrictions can be set for the following conditions:

• Short-term logon deny. Monitoring password failures for IP addresses and accounts and temporarily refusing logons. This feature can be turned on and off for any Membership Server.

Note

• Short-term logon deny for accounts logging on to Membership Server instances is also automatically in effect by the P&M Authentication Service when Membership Authentication is used.

• Permanent logon deny. Refusing logons to the Membership Directory by specific IP addresses. This feature can be implemented for a given Membership Server by adding IP addresses to a text file.

These two features can be turned on and off for a given Membership Server instance using the command-line interface. The configuration parameters used for monitoring logon failures can be changed in the Windows NT registry, and therefore determine the values for all LDAP servers on that computer.

Related Topics

• Short-term Authentication Service Logon Deny for Accounts Only
• Managing Authentication on the LDAP Service