Skip to main content

Qlik Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

QlikView Administration

Discussion Board for collaboration on QlikView Management.

Announcements
Skip the ticket, Chat with Qlik Support instead for instant assistance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Gatis
Contributor
Contributor
‎2021-11-26 09:41 AM

Public Qlikview Access Point user Authentication with AD - User lockout vulnerability

Hi,

I have publicly facing Qlikview Access Point that authenticates domain users using Active Directory.

Access Point run by IIS.

Penetration testing revealed that it's vulnerable to DDoS attacks, where if someone found out usernames, they could lock out all Active Directory users by entering credentials incorrectly 3 times (Active Directory policy).

Is creating local users the only solution to fix this vulnerability, so at least in case of DDoS attack only Qlikview users would be affected not the whole domain users? Or is there any way how to resolve this issue? Maybe some kind of delay between login attempts?

Thank you

Gatis

228 Views
0 Likes
1 Solution

Accepted Solutions
Albert_Candelario
Support
Support
‎2022-02-27 09:05 AM

Hello @Gatis ,

Thanks for posting.

This topic looks more Microsoft related than QlikView per se as the authentication is done on the Active Directory part. Also notice the Account lockout threshold is configurable, could be 3 times or 10 times as your AD administrator has set up.

Find here some  documentation from Microsoft and best practises on the same topic:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...

On the links it also talks about Local users and there is a some best practises sections.

I hope this is useful for the concern you have raised here.

Cheers,

Please, remember to mark the thread as solved once getting the correct answer

View solution in original post

122 Views
2 Replies
Albert_Candelario
Support
Support
‎2022-02-27 09:05 AM

Hello @Gatis ,

Thanks for posting.

This topic looks more Microsoft related than QlikView per se as the authentication is done on the Active Directory part. Also notice the Account lockout threshold is configurable, could be 3 times or 10 times as your AD administrator has set up.

Find here some  documentation from Microsoft and best practises on the same topic:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account...

On the links it also talks about Local users and there is a some best practises sections.

I hope this is useful for the concern you have raised here.

Cheers,

Please, remember to mark the thread as solved once getting the correct answer
123 Views
Gatis
Contributor
Contributor
‎2022-02-28 03:19 AM
Author

Thanks @Albert_Candelario 

 

114 Views
0 Likes