This repository has been archived by the owner on Aug 4, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 28
Request rate limiting
Ryan Newington edited this page Jul 1, 2018
·
4 revisions
In order to protect your LAPS passwords from mass-enumeration, it is recommended that you configure rate-limiting.
The LAPS web app allows you to limit requests based on IP address and/or user.
Rate limiting is controlled by the <rate-limit-user> and <rate-limit-ip> elements in the web.config file
<lithnet-laps>
<rate-limit-user enabled="true" requestsPerMinute="10" requestsPerHour ="50" requestsPerDay="100"/>
<rate-limit-ip enabled="true" requestsPerMinute="10" requestsPerHour ="50" requestsPerDay="100" rateLimitOnXffIP="false" />
...
</lithnet-laps>| Parameter | Allowed values | Description |
|---|---|---|
enabled |
true false
|
Turns on rate-limiting. The default value is true
|
requestsPerMinute |
An integer greater than zero | The number of requests allowed per minute. The default value is 10 |
requestsPerHour |
An integer greater than zero | The number of requests allowed per hour. The default is 50 |
requestsPerDay |
An integer greater than zero | The number of requests allowed per day. The default is 100 |
rateLimitOnXffIP |
true false
|
Uses the IP address in the X-Forwarded-For header when considering rate-limiting. Only turn this on if your LAPS server is behind a load balancer or firewall that supports this header. Otherwise a malicious client could spoof this header to get around the IP rate limiting. |
Always take a backup of your web.config file before and after making any changes. A malformed web.config file will stop your web site from loading. If this happens, check the event log for the specific details of the problem or roll back the file to a known-good version.
You should also keep a backup copy of your working web.config file. It is easy to accidentally overwrite it when deploying a new version of the web application.