Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Another ISAPI filter : deny user authentication through IIS to users you want.

Another ISAPI filter : deny user authentication through IIS to users you want.

From: Bob at firstcodings <bob_at_firstcodings.com>
Date: Wed, 6 Mar 2002 00:55:24 +0100

 Hi members,

I wrote an ISAPI filter that _deny_ user authentication through IIS even if
NTFS permissions and user rights are _granted_.

The facts :
* "Basic authentication" is widely used by IIS on Internet (IIS 4 and 5)
* NTFS permissions and user rights are granted to administrators (and other
users that never connect through Internet) in 95% of the time

The problem :
A simple brute force attack to such servers may retreive administrator
password which can be used in another exploit.

The solution :
For such users, authentication through IIS __must be denied__ even if __NTFS
permissions and user rights are granted__.

I wrote an ISAPI filter that do this job (not only for "administrator"
user); the page can be found at
http://bob.firstcodings.com/programs/authentprotect/ (source code is
included). For now, please consider this filter as "beta release", so use it
at your own risk !

Email me at "authentProtect_at_firstcodings.net" for any
comments/feedbacks/suggestions about this filter.

Bob - firstcodings.
Received on Mar 06 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos