The Google reCAPTCHA tool helps protect your user login page against spam, malicious registrations, and other forms of attack where computers disguise themselves as humans. It provides an additional layer of security by displaying images of words that users must type in addition to their login credentials. Software bots typically cannot scan the images to provide a response.
Using reCAPTCHA helps prevent automated Denial of Service (DoS) attacks that can impact the performance of the appliance and the identity source. The tool uses the remote Google reCAPTCHA service to provide the images and verify the responses. If a response succeeds, the appliance verifies the user’s authentication credentials against the identity source. If a response fails, the appliance fails the login attempt without processing the credentials, and re-displays the login page. Thus, the automated login attempts fail and cannot consume the processing resources of the appliance and identity source.
Use the information in the following sections to configure your system for reCAPTCHA:
Ensure that your system meets the following requirements before you configure the Google reCAPTCHA tool:
A CloudAccess appliance, installed and configured.
One or more supported identity sources, with the connectors enabled and configured.
The reCAPTCHA tool supports users from Active Directory, eDirectory, and Self-Service User Store (SSUS) identity sources. It does not support users from other types of identity sources, such as users imported from Microsoft SQL Server or Oracle Database type identity sources that use the JDBC identity source connector.
Each identity source should be configured with an intrusion detection policy. For more information, see Configuring Intrusion Detection for Failed Logins.
A Google reCAPTCHA account, configured on the Google reCAPTCHA website. For more information, see Configuring a Google reCAPTCHA Account.
Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user. reCAPTCHA cannot prevent attacks by anyone who can read the image. It cannot differentiate between malicious users and legitimate users. Using reCAPTCHA cannot prevent coordinated human DoS attacks. If users have unlimited attempts to enter their authentication credentials, reCAPTCHA also cannot help prevent attacks to find passwords.
To help limit the effectiveness of brute force or human attacks that bypass the reCAPTCHA protection, you should enable the user’s identity source to respond to this type of potential attack by disabling the account for a preset period of time after a specified number of failed logon attempts.
The supported identity sources have the following built-in intrusion detection systems:
Active Directory Account Lockout Policy: Active Directory allows you to specify an account lockout policy for users and global security groups in a domain. Set the policy on the domain group policy object from the domain controller.
To configure the Account Lockout Policy settings:
Log in as an Active Directory administrator user to the Windows Server that hosts Active Directory Domain Services (the domain controller).
Configure the Account Lockout Policy on the group policy object for the domain controller.
For more information, see the Account Lockout Policy in the Microsoft TechNet Library.
Verify that the Account Lockout Threshold value is higher than the number of failed login attempts you plan to specify for Start reCAPTCHA at in the reCAPTCHA tool.
Repeat these steps for each configured Active Directory identity source.
eDirectory Intruder Lockout Policy: eDirectory allows you to enable Intruder Detection and specify an Intruder Lockout policy for the container object where your user objects reside.
To configure the eDirectory Intruder Detection and Intruder Lockout Policy:
Log in as the eDirectory administrator user to the management console for the eDirectory server.
Configure Intruder Detection and the Intruder Lockout policy on the container object where your user objects reside.
For more information, see Setting Up Intruder Detection for All Users in a Container
in the eDirectory 8.8 SP8 Administration Guide.
Verify that the Intruder Lockout value is higher than the number of failed login attempts you plan to specify for Start reCAPTCHA at in the reCAPTCHA tool.
Repeat these steps for each configured eDirectory identity source.
SSUS Lock Account After Detection: The SSUS identity store automatically enables the Lock Account After Detection option. It allows up to 7 consecutive failed login attempts within a 30-minute interval. If the next login attempt also fails within the interval, SSUS locks the account for 15 minutes. After 15 minutes, the system automatically unlocks the account, and the user can log in using a correct user name and password. To log in before the lockout is reset, the user can contact the SSUS Help Desk and ask the administrator to reset the password.
After you have configured intrusion detection for the supported identity sources, continue with Configuring a Google reCAPTCHA Account.
Before you configure the Google reCAPTCHA tool, you must configure an account to use for your domain at Google reCAPTCHA, and create a public and private key.
To configure a Google reCAPTCHA account to use for your appliance’s domain:
Access the Google reCAPTCHA website.
Click Get reCAPTCHA > Sign up Now.
Log in using one of your Google accounts.
For example, if you use your Gmail account, the reCAPTCHA account is associated with the Gmail account.
(Conditional) If this is not your first site, click Add a New Site. Otherwise, skip to the next step.
Specify a domain.
Read the Tips for more information.
Click Create to add the domain.
Copy the Public Key and Private Key that the interface displays to use when you configure the identity source.
Continue with Configuring the reCAPTCHA Tool.
Before you configure the Google reCAPTCHA tool, you must set up intruder detection in the Active Directory and eDirectory identity sources, and create public and private keys for your appliance’s domain at the Google reCAPTCHA website.
To configure the reCAPTCHA service:
Using the identity source’s native management tools, verify that its intrusion detection setup meets the requirements specified in Configuring Intrusion Detection for Failed Logins.
Log in with an appliance administrator account to the administration console at
https://appliance_dns_name/appliance/index.html
In the Identity Sources panel, verify that you have configured an identity source for Active Directory or eDirectory, or both.
Drag the reCAPTCHA tool from the Tools palette to the Tools panel.
Configure the reCAPTCHA feature as follows:
Start reCAPTCHA at: Specify how many failed login attempts must occur before the login page displays the reCAPTCHA prompt. The value should be less than the lockout value set in the identity sources’ intrusion detection system.
If the reCAPTCHA count is set to zero, the login page displays a reCAPTCHA prompt every time for all users. Every login requires user credentials and the reCAPTCHA response.
If the reCAPTCHA count is greater than zero, the login page displays the reCAPTCHA prompt only after the user login fails the specified number of times in the same browser window.
Public Key: Paste the Public Key value from your reCAPTCHA account configuration for this appliance’s domain.
Private Key: Paste the Private Key value from your reCAPTCHA account configuration for this appliance’s domain.
For information about the public and private keys for your reCAPTCHA account, see Configuring a Google reCAPTCHA Account.
Click OK to save the settings and enable the tool.
Click Apply to activate the configuration.
Wait while the service is activated across all nodes in the cluster. Do not attempt other configuration actions until the activation completes successfully.