Vulnerability Development mailing list archives
Another ISAPI filter : deny user authentication through IIS to users you want.
From: "Bob at firstcodings" <bob () firstcodings com>
Date: Wed, 6 Mar 2002 00:55:24 +0100
Hi members, I wrote an ISAPI filter that _deny_ user authentication through IIS even if NTFS permissions and user rights are _granted_. The facts : * "Basic authentication" is widely used by IIS on Internet (IIS 4 and 5) * NTFS permissions and user rights are granted to administrators (and other users that never connect through Internet) in 95% of the time The problem : A simple brute force attack to such servers may retreive administrator password which can be used in another exploit. The solution : For such users, authentication through IIS __must be denied__ even if __NTFS permissions and user rights are granted__. I wrote an ISAPI filter that do this job (not only for "administrator" user); the page can be found at http://bob.firstcodings.com/programs/authentprotect/ (source code is included). For now, please consider this filter as "beta release", so use it at your own risk ! Email me at "authentProtect () firstcodings net" for any comments/feedbacks/suggestions about this filter. Bob - firstcodings.
Current thread:
- Another ISAPI filter : deny user authentication through IIS to users you want. Bob at firstcodings (Mar 05)
- <Possible follow-ups>
- RE: Another ISAPI filter : deny user authentication through IIS to users you want. Keith T. Morgan (Mar 06)