FEATURE REQUEST - Failed login attempts result in the same error message

I've been asked to raise this as part of case 01268610

Our security team have been doing some testing of our SolarWinds servers, and have reported that they get different responses for different types of login failures using AD users.#

An incorrect AD password gets the error 'There was a problem authorizing the specified windows account'
Using a valid set AD user and password that isn't in the AD group needed to access SolarWinds results in the error 'Windows account not authorized'.

These also appear to be different from the errors than non-AD users get for login failures.

This request is to change all failed login attempts to display the same message regardless of the type of login failure. The reasoning behind this is that passing specific error messages could help a malicious actor attempting to hack into our SolarWinds servers. It can also be used to validate if AD credentials are correct without logging in to a system.

Find more posts tagged with

Status: None

Comments

simonp73

Surely this should be a simple update to change the messages or even have an option in the Global settings so you can have a generalised failed login message

simonp73

Looking to see if anyone else thinks this is a good idea? Our security/cyber team would be keen t get this implemented by you as it gives a 'bad actor' an insight into why they are unable to gain access and so adjust how they are trying to gain access

simonp73

@dc4networks any ideas how many votes this would need to get looked at?

NVSteven

There are feature requests with 100s of up votes for years that don't have any progress