The Battleground:    

Infrastructure of a rural county that has the public works offices such as police department, library, and fire department which are all interconnected. 

The Presumption:  

A brute force from a malicious IP should be stopped by the firewall and accounts should lockout after a set limit of failed attempts. 

The Discovery:  

The customer had a multitude of login attempts causing brute force alarms to show in our system. The attempts were all from the same internal IP and were all failing on a Microsoft Exchange Server. 

Our Solution:

The cause of the large amount of the failed logons was due to a misconfiguration from the following two things: 

• Cisco Jabber settings were not set correctly to access the calendar or voicemails 

• Outlook cache setting 

Lessons Learned:  

A large number of failed logons may not always be malicious and could be a result of a misconfiguration on the network. Always set up login limits on accounts to prevent bandwidth from being wasted and to help prevent brute force attacks.