Active Directory
AD Account Lockout Policy
It’s important to collect the Active Directory Account Lockout Policy from the project sponsor prior to performing any attacks on login portals.
This will ensure that account lockouts do not occur during the External Penetration Test. If it does occur, it can be extremely disruptive for all organisational accounts to be locked out for 15 to 30 minutes, just imagine if 5000 staff couldn’t use their devices in that time, it could be considered a major disruption that would require the project sponsor to complete a post-incident report.
If the AD Account Lockout Policy is set for 5 password attempts per 15 minutes, it is better to be on the safe side and still only do 2 password attempts per 15-20 minutes.
Office 365 Login
Work in progress.
Microsoft Exchange
Work in progress.