Brute force attack protection

In this article, you can read more about Safetica protection against brute force attack.

The following protection has been implemented to protect password for Safetica Management Service and local administrator password on endpoints. Inspired by Slow Down Online Guessing Attacks with Device Cookies WebSafetica uses a similar mechanism.

Principle

Safetica Management Service and client protection use a floating window of a given length (10 minutes), in which it is possible to enter a limited number of password attempts (100). A floating window means that if the number of attempts is exceeded, further attempts can be done usually sooner than after 10 minutes - once an earlier bad attempt has dropped from that window.

When logging from Safetica Management Console to Safetica Management Service, each user account is evaluated separately. So there are 100 attempts in 10 minutes for each user. Safetica Management Service also offers the possibility to aggregate these attempts together, to make a maximum of 100 attempts in 10 minutes regardless of your account. It is disabled by default - for enabling see configuration below.

This protection does not include logging in Windows accounts because Windows has its own domain-defined protection.

For clients, all attempts are grouped under one counter - the user is not distinguished.

Account lockout

If the number of attempts is exceeded, further logging will be locked. An alert called "Repeatedly incorrect password for Safetica" is generated with details - Safetica Management Console saves the user account name, computer, and IP address. Regarding the protection of Safetica Endpoint Client, alert for the PC and the user is displayed in Safetica Management Console.

Logs about logging in

In the Safetica Management Console, in Visualization mode of the Access Management tab, you can find all the authentication attempts (both successful and unsuccessful). If it is a known user account, it is listed, along with the computer name. If it is an unknown account, the record is saved for the user "unknown" and an empty computer.

Configuration

Both Safetica Management Service and Safetica Endpoint Client have the following configuration options:

  • BruteForceCount - number of attempts in the given window, default: 100
  • BruteForceWindow - window length in seconds, default: 600
  • BruteForceAnonymous - enable / disable aggregation of all attempts into one window, default value: 0

Values for Safetica Management Service can be entered in the registry in HKLM/Software/Safetica Technologies/Safetica Management Service/Config.

Values for Safetica Endpoint Client can be entered in HKLM/Software/Safetica Technologies/Safetica Client Service/Config.