Knowledgebase
Brute force attack protection
Posted by Jiří Hošek, Last modified by Michael Skoupý on 28 August 2019 10:30 AM

In this article, you can see Safetica protection from the brute force attack.

The following protection has been implemented to protect password breakage. It concerns the attack on the SMS login password and the local administrator password on the end station. Inspired by Slow Down Online Guessing Attacks with Device Cookies. WebSafetica uses a similar mechanism.

Principle

SMS and client protection use a floating window of a given length (10 minutes), in which it is possible to enter a limited number of password attempts (100). A floating window means that if the number of attempts is exceeded, further attempts can be made not in 10 minutes, but usually sooner - once an earlier bad attempt has dropped from that window.

In case of login from SMC to SMS, each user account is distinguished. So everyone has fund 100 attempts in 10 min. SMS also offers the possibility to aggregate these attempts together, to make a maximum of 100 attempts in 10 minutes regardless of your account. However, it is disabled by default, it is enabled by registers, see configuration below.

This protection does not include logging in to Windows accounts because Windows has its own domain-defined protection.

For clients, all attempts are grouped under one counter - the user is not distinguished.

Account lockout

If the number of attempts is exceeded, it will be locked until further attempts are available again. An alert called "Repeatedly incorrect password for Safetica" is generated (previously it was an alert about 3x wrong password for encrypted disk) with details - SMC saves the user account name, computer, and IP address. In case of protection on the client, the alert for the PC and the user who generated the alert is displayed in SMC.

Logs from login

In the SMC visualization mode of the User Account, you can now find all the authentication attempts (previously only successful ones). If it is a known user account, it is listed, along with the computer name. If it is an unknown account, the record is saved for the user "unknown" and an empty computer.

Configuration

Both SMS and client have the following configuration options:

  • BruteForceCount - number of attempts in the given window, default: 100
  • BruteForceWindow - window length in seconds, default: 600
  • BruteForceAnonymous - enable / disable aggregation of all attempts into one window, default value: 0

In case of SMS these values can be entered in the registers in HKLM/Software/Safetica Technologies/Safetica Management Service/Config. Even better is to use SMS Activity Monitor (Menu - Options - Configuration ...). For the client, the values are entered in HKLM/Software/Safetica Technologies/Safetica Client Service/Config.