Location Screening applied per mailbox
Location Screening is a fantastic tool, and I use it extensively. I have eighty mailbox users of which the majority never leaves the country, but I also have a handful of users who travel extensively around the world.
The problem arises when I have to unblock a specific country for a particular user. Suddenly all the mailboxes on my server is open to brute force authentication attacks from that particular country.
If I could apply Location Screening by means of a template, or security group, or even directly on a particular mailbox, it would mean that if I open a particular country, only that one mailbox would be at risk from brute force attacks from that country.
I recently had to open the US because one of my users make use of PipeDrive, and it literally took minutes for the first brute force attempts from the US to start. If I could customize Location Screening to a particular mailbox, then it would mean that an attacker would not only have to brute force, but also have to guess which mailbox is open to that country.
Charl Pohlmann
shared this idea
Hello Charl,
Thank you for sharing your idea with us to implement per user location screening. There are some challenges to implementing this as it will require that we allow authentication to begin before a connection can be blocked by location screening. Some users will not like this, so we have to find a way to block connections as efficiently as possible.
There are a couple of options available for by-passing location screening on a per user basis. You can enable options for ActiveSync so that known devices by-pass location screening checks. You can also have the IP address of knwon ActiveSync devices whitelisted, so if you have a laptop on the same wifi network that is not using ActiveSync it will be allowed to connect as well. If you are using Webmail, you can use Two Factor Authentication to bypass Location Screening.
We will look into per user location screening for future versions.
Thanks,
Arron
-
Dave van den Berg
commented
Is it possible to adjust location screening per domain? I think you don't have to authenticate when you see that a domain can't be reached. In this case, when having many users, you can put users in an domain when they travel. The other domains can keep the location screening only for their countries.
-
Dave van den Berg
commented
Some users have clicked on a link and then they are victim of IMAP-connections to their account. By narrowing the countries the risk of connections with (brute force) attacks can be reduced.
Less more notices of Authentication Failures which are useful for Security reasons but ignorant for the users. I don't want to disable these notifications for my users, need them to be aware for connection attempts with their accounts.
This is especially for IMAP, SMTP is no problem. -
Charl Pohlmann
commented
I just had a go at whitelisting PipeDrive.com, and it looks like PipeDrive breaks out through Amazon.com, so there are literally hundreds if not thousands of IP addresses which I will have to whitelist.
So I don't think that this will work either.
-
Charl Pohlmann
commented
Thanks Arron,
I will try the Whitelisting of PipeDrive IPs for that purpose, but this will not work for my normal users.
The reason for this is:
1. We do not use Active Sync.
2. We do not allow our users to connect using WorldClient.
3. Our roaming users all travel with their notebooks, and collect mail using IMAP.It would therefore not make sense to work with the Whitelisting of IPs for this purpose.