Another ISAPI filter : deny user authentication through IIS to users you want.

["Bob at firstcodings" <bob () firstcodings com>]

 Hi members,

I wrote an ISAPI filter that _deny_ user authentication through IIS even if
NTFS permissions and user rights are _granted_.


The facts :
* "Basic authentication" is widely used by IIS on Internet (IIS 4 and 5)
* NTFS permissions and user rights are granted to administrators (and other
users that never connect through Internet) in 95% of the time

The problem :
A simple brute force attack to such servers may retreive administrator
password which can be used in another exploit.

The solution :
For such users, authentication through IIS __must be denied__ even if __NTFS
permissions and user rights are granted__.


I wrote an ISAPI filter that do this job (not only for "administrator"
user); the page can be found at
http://bob.firstcodings.com/programs/authentprotect/ (source code is
included). For now, please consider this filter as "beta release", so use it
at your own risk !

Email me at "authentProtect () firstcodings net" for any
comments/feedbacks/suggestions about this filter.


Bob - firstcodings.