Vulnerability Development: Another ISAPI filter : deny user authentication through IIS to users you want.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Another ISAPI filter : deny user authentication through IIS to users you want.

From: "Bob at firstcodings" <bob () firstcodings com>
Date: Wed, 6 Mar 2002 00:55:24 +0100


 Hi members,

I wrote an ISAPI filter that _deny_ user authentication through IIS even if
NTFS permissions and user rights are _granted_.


The facts :
* "Basic authentication" is widely used by IIS on Internet (IIS 4 and 5)
* NTFS permissions and user rights are granted to administrators (and other
users that never connect through Internet) in 95% of the time

The problem :
A simple brute force attack to such servers may retreive administrator
password which can be used in another exploit.

The solution :
For such users, authentication through IIS __must be denied__ even if __NTFS
permissions and user rights are granted__.


I wrote an ISAPI filter that do this job (not only for "administrator"
user); the page can be found at
http://bob.firstcodings.com/programs/authentprotect/ (source code is
included). For now, please consider this filter as "beta release", so use it
at your own risk !

Email me at "authentProtect () firstcodings net" for any
comments/feedbacks/suggestions about this filter.


Bob - firstcodings.

By Date By Thread

Current thread:

Another ISAPI filter : deny user authentication through IIS to users you want. Bob at firstcodings (Mar 05)
- <Possible follow-ups>
- RE: Another ISAPI filter : deny user authentication through IIS to users you want. Keith T. Morgan (Mar 06)