cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
344
Views
0
Helpful
4
Replies

VCS-E & AD Design Question

Justin Ferello
Contributor
Contributor

All,

If one deploys Jabber via VCS-Control & TMS, then uses Direct AD integration on the VCS-C, so it joins the domain.  I am pretty sure that someone trying to log into an AD account via Jabber, entering the password wrong several times would lock the AD account, correct?  Now if you add a VCS-E to the mix, now you open your AD network to the world per say, in that someone from the outside, if they were able to figure out your usernames they could start locking all your accounts.

Does any have some ideas on ways to overcome this?        

Thank you,

Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com       

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
4 Replies 4

Martin Koch
Advocate
Advocate

Thats a nice question. I also thought of DOS capabilities but I never deeper tried.

The questin is how AD behaves, if it locks out the account, the "computer"=vcs where the

request comes from, the account for the computer where the request came from, ...

Also if its configurable who even can authenticate through the VCS (like only the jabber

group. Sure, you need a user in the Provisioning Directory to use Jabber but you might

be able use the AD integration to check if the credentials are valid for an AD  user.

Please remember to rate helpful responses and identify

Paulo Souza
Rising star
Rising star

Let me add two cents here:

I dont think this to be a security problem. Because thinking this way, the enterprises would never provide any service on internet.

For example, many companies provide webmail service for their employees via internet. The webmail page is public, anybody can get there and try to log in. It does not represent a security problem exactly, because companies normally have several security policies with regards usernames and passwords, like complexity of passwords, time for expiration and so on. I would consider the same regarding Jabber through VCSe.

To improve security regarding DoS and things like that, there are specific solutions, like border IDS and IPS solutions.

Regards

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

If you use sip-tls I would say combinding the vcs with a ids or ips could be hard, so this

would be a function better placed on the vcs itself (or maybe a tool which can analyze logfiles).

Regards the webmail, most companies I know use some two way authentication or additional

information rather then just the password.

Please remember to rate helpful responses and identify

rasimyigit
Beginner
Beginner

Certificates on the Client could be a way for more security but it is not easy to deploy certificates on all clients like jabber , movi or iPad

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers