
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Public Qlikview Access Point user Authentication with AD - User lockout vulnerability
Hi,
I have publicly facing Qlikview Access Point that authenticates domain users using Active Directory.
Access Point run by IIS.
Penetration testing revealed that it's vulnerable to DDoS attacks, where if someone found out usernames, they could lock out all Active Directory users by entering credentials incorrectly 3 times (Active Directory policy).
Is creating local users the only solution to fix this vulnerability, so at least in case of DDoS attack only Qlikview users would be affected not the whole domain users? Or is there any way how to resolve this issue? Maybe some kind of delay between login attempts?
Thank you
Gatis
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Gatis ,
Thanks for posting.
This topic looks more Microsoft related than QlikView per se as the authentication is done on the Active Directory part. Also notice the Account lockout threshold is configurable, could be 3 times or 10 times as your AD administrator has set up.
Find here some documentation from Microsoft and best practises on the same topic:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...
On the links it also talks about Local users and there is a some best practises sections.
I hope this is useful for the concern you have raised here.
Cheers,

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Gatis ,
Thanks for posting.
This topic looks more Microsoft related than QlikView per se as the authentication is done on the Active Directory part. Also notice the Account lockout threshold is configurable, could be 3 times or 10 times as your AD administrator has set up.
Find here some documentation from Microsoft and best practises on the same topic:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...
On the links it also talks about Local users and there is a some best practises sections.
I hope this is useful for the concern you have raised here.
Cheers,

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Albert_Candelario

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a tricky situation you got there! 😬 Dealing with DDoS attacks can be a real headache, especially when it affects your whole domain.
Creating local users might be a viable solution to contain the damage. Another approach could be implementing some form of delay or rate limiting between login attempts. This can help slow down potential attackers and make their efforts less effective.
I've also heard about the DarkVR IP Booter Panel, which some folks have found useful in mitigating DDoS attacks. It might be worth exploring as an additional layer of defense.
