Ad Self Service Tackling Threat From Outsiders
'Threats are Period!' Secure your user accounts from the known and unknown outside threats!
Safeguard the password self-service sessions with session timeouts, Set Email notification after Password Self Service. Create User accounts that are invulnerable against security threats by allowing end users to reset active directory password safely using various inbuilt tools/security measures like CAPTCHA, support for HTTPs, and LDAPs.
Bot-based attacks/Denial-of-Service attacks
A bot (short for robot) is a program that operates as an agent for a user or another program or simulates a human activity. If a hacker manages to guess a username, then he might try brute-forcing the security answer for a web-based password change. That is, try out all possible combinations. To prevent this ADSelfService Plus offers a lockout mechanism which locks out accounts that are subjected to brute-forcing. Administrators can define the threshold for unsuccessful attempts and also determine the lockout period for an account responsible for such attempts. He also has a "Failed attempts at Security Questions Report" to help him find which account misfired.
During security question authentication(user identity verification), CAPTCHA, a type of challenge response test attempts to distinguish malicious application layer bots from human clients with help of perceptual challenges, making it infeasible for bots to carry out denial-of-service attack. CAPTCHA also plays a vital role in keeping dictionary attacks at bay.
Are you wary of data thefts during transmission? We recommend you enable HTTP over SSL to ensure extra safe communication between users (web browser) and ADSelfService Plus and enable LDAP over SSL to ensure extra safe communication in Active Directory - ADSelfService Plus.
All communications between ADSelfService Plus and end-user happens via a simple and self-explanatory web browser interface. These server-client interactions happen in HTTP protocol by default.
While ADSelfService Plus and client communication via HTTP may be safe in a closed LAN network, you MUST implement HTTPs protocol between ADSSP and clients, if the client is situated outside a LAN and would use internet to access ADSSP. In cases like geographically disparate WAN or use over internet, please apply enable HTTP over SSL, so that the web-based client-server communication is encrypted.
When you deploy ADSSP in a WAN, please make sure you enable LDAP over SSL to ensure ADSSP and domain controllers communicate in LDAPs (encrypted) protocol. This way communication between Active Directory and ADSSP will stay absolutely safe.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. ADSelfService Plus employs a specially designed query handler framework to check and handle all SQL database queries, which does not allow users to input manipulative SQL code. Besides, the only database that ADSelfService Plus will query is its inbuilt database during secondary authentication, report fetching, and certain other operations.