RE: Another ISAPI filter : deny user authentication through IIS to users you want.

["Keith T. Morgan" <keith.morgan () terradon com>]

Thinking a little more down this road... Take the site where NT auth is allowed along with anonymous (the default IIS 
settings IIRC).  Say also that there are zillions of web-servers that are members of domains.  Say also, that many of 
these have account lockout policies in place.  How trivial would it be, given you've obtained a list of login names, to 
DoS the network by brute-forcing the passwords on say... IUSR_Machinename, and any valid domain logins you  may have?  
Just perpetually loop through the login process sending "foo" at each user account ten times and move on to the next.

The question that comes to mind is... if a particular directory or site supports NT auth, but there are no ACLs in 
place, can you hand-craft a form, or post operation that sends an authentication string that would then be handled by 
the SAM?


<snip>
> The facts :
> * "Basic authentication" is widely used by IIS on Internet 
> (IIS 4 and 5)
> * NTFS permissions and user rights are granted to 
> administrators (and other
> users that never connect through Internet) in 95% of the time
>
> The problem :
> A simple brute force attack to such servers may retreive administrator
> password which can be used in another exploit.
<snip>