<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VC4SANOkta Classic EngineAdministrationAnswered2024-10-24T09:01:38.000Z2017-01-17T22:04:58.000Z2018-11-08T15:21:41.000Z

Admin-MattM.11539 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Behavior of network zone restrictions
I have a question regarding how network zone restrictions are implemented.  We recently discovered evidence of a brute force attack on our Office 365 tenant originating from China, Singapore, and Hong Kong.  Because our Office 365 tenant is federated to Okta, and Okta is federated to our AD, we had multiple users complaining of locked AD accounts.

 

I've implemented a network zone restriction at the Okta login policy level to not allow any logins from those specific countries (we don't have any users there), but will this prevent user accounts from being locked out?  By examining the logs, it looks like the zone restriction is being applied after the authentication request happens (tested with a VPN that has an endpoint in Hong Kong), but I'm not quite sure of that.  Is there a better way?
  • 9 answers
  • 2.54K views
benjamin.l.campbell and 7sb5x like this.

  • Admin-MattM.11539 (Customer)

    We actually just discovered the other day that it is possible to do country level blacklists. This feature doesn't seem to be enabled by default, you need to contact Okta to have it enabled for your org. After it's enabled, you will see the same blacklist checkbox on dynamic network zones.

    Selected as Best

  • Admin-MattM.11539 (Customer)

    This is helpful, thanks.  I'll check that setting.

     

    However, locking the Okta account is still a significant event for a user since we have many critical services integrated into Okta.  I guess the original question still applies, would a brute force attack from a restricted network zone still trigger an Okta lockout?

  • j5v7c (j5v7c)

    The Okta account will become locked yes, but all the applications would still be assigned to the user and not deactivated (if lifecycle management is being used). You could as part of the password policy allow the users account to become unlocked after a set amount of time (shown below in the password policy definition), and you can also enable a self-service user unlock capability.

     

    0EM2A000000Xpv1
    Expand Post

  • benjamin.l.campbell (numo LLC)

    I'm working on this same issue now.  I believe I have a fix and will update once tested.

  • 7sb5x (7sb5x)

    We are struggling with the same thing. Authentication attempts are processed before the policies that block locations, so anyone could fairly easily shut down the company by locking out every account. If the policies were evaluated before the authentication attempt, this wouldn't be an issue.

  • d67vz (d67vz)

    Srs,

    I am having the same issue here. I already have the # of attempts to lock out on AD higher than Okta, but still. As said, most of today's app are on the cloud, which creates a huge impact when okta is locked. So far the solution I found was blacklisted using the standad BlockedIpZone on Okta > Security > Network. My only concern by blocking specific IPs is a reactive action. It would be good if we could easily blacklist countries instead using other services to give us country ip's range.

    Expand Post

  • Admin-MattM.11539 (Customer)

    We actually just discovered the other day that it is possible to do country level blacklists. This feature doesn't seem to be enabled by default, you need to contact Okta to have it enabled for your org. After it's enabled, you will see the same blacklist checkbox on dynamic network zones.

    Selected as Best

  • 4iig6 (4iig6)

    Hi, getting hit with this same issue as well, where AD accounts are getting locked after being bombarded with malicious attempts from all over the world. How about if MFA is enabled and instead remove the 'lock account after X attempts' setting altogether? Wondering anyone's thoughts on that as a potential workaround to whitelist/blacklist countries which is probably impossible in our scenario unfortunately.

    Expand Post

  • Admin-MattM.11539 (Customer)

    I believe that removing the "lock account after X attempts" option will essentially give your attackers unlimited attempts on a dictionary/brute force attack. I think the way this is currently implemented is that the MFA challenge isn't initiated until AFTER the password has been successfully authenticated. So it would prevent user lockouts, but probably isn't a recommended security practice.

     

    There is a feature in Beta called Factor Sequencing that I think would allow you to customize the sequence to put the MFA challenge first, see here for more details: https://support.okta.com/help/s/beta?id=kA00Z000000TMtpSAG

    Expand Post
This question is closed.
Loading
Behavior of network zone restrictions