You are viewing limited content. For full access, please sign in.

Question

Question

Webdav Autolockout

asked on July 11 Show version history

Hello

 

I have a customer with a DMZ setup using Mobile, WebClient, Forms, and Public Portal.  Intermittently, on their security reports, they see activity between the DMZ and their LFS server that is identified as high severity.  The activity application is WebDAV over port 80 and is trying to access or perform Autolockout.

Below is a screenshot from a report previously provided:

Their configuration is not using WebDAV in any way.  I have gone through all of their access points (web client, forms, public portal, and mobile) to ensure they are all set to use TLS, but it still seems to be popping up every few months and I can't track it to any specific events.

Does anyone know if there are any LF processes that use WebDAV in the background for communication?  They are on Laserfiche version 12 but the problem existed before upgrading.

Jim

0 0

Replies

replied on July 11 Show version history

Regarding:

Their configuration is not using WebDAV in any way. 

WebDAV is an extension to the HTTP protocol, and Laserfiche Repository Server and the client libraries that communicate with it (Repository Access, LFSO) use WebDAV functionality. It's not surprising that security tooling doing network inspection is detecting and flagging repository traffic as WebDAV, because it is.

I don't have any specific insight into what "autolockout" might be or why that call is going over port 80/http instead of 443/https. If the security tool is capturing the whole http request in question, I'd inspect it and see if there's any sort of client application identifier in the request headers that could point you in the right direction.

Edit 1:
As you've already checked all the web applications have TLS enabled for repository connections, my hunch would be that it's coming from a Repository Windows Client instance installed on the DMZ server (common for troubleshooting). The Windows Client connects to repositories over http/80 by default unless you specifically "Attach" them and check "Use TLS" (https/443) in that dialog.

Edit 2:
From looking through internal docs, "Autolockout" is a Laserfiche repository property option related to locking out a user account after too many failed login attempts. That could plausibly happen in this scenario for reasons like a Repository Windows Client session remaining logged in with cached credentials instead of being properly closed, then those creds becoming invalidated later but still try to get used. Periodic bursts of them in the logs may be suggestive of a retry loop with invalid credentials. That's also consistent with the security software flagging it a "User Authentication Brute Force Attempt". 

This reinforces the importance of capturing and reviewing the HTTP requests being flagged. As they are conveniently in plaintext, you should be able to inspect them and see exactly what user account is in the login attempts. 

1 0
replied on July 16

Thanks Samuel,

I was also looking at the Windows Client as the potential cause. Would WebDAV be specific to the Windows Client, or could the activity be coming from the Web Client or WebLink as well?  I have uninstalled the client from the DMZ server as it was there just for troubleshooting on install.

Unfortunately, it is intermittent and only happens in short bursts.  It was most recently reported as happening in the morning one day last week for a little over an hour and recording several hundred hits on firewall during that time.  It hasn't happened since.  Prior to that it was reported a couple months ago with similar activity.

 

Jim

0 0
replied on July 16

Think of WebDAV as the base language of Laserfiche Repository Server. Any client application built on the Repository Access or Laserfiche Server Objects (LFSO) libraries (i.e., all of them) can speak WebDAV.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.