Hi members, I wrote an ISAPI filter that _deny_ user authentication through IIS even if NTFS permissions and user rights are _granted_. The facts : * "Basic authentication" is widely used by IIS on Internet (IIS 4 and 5) * NTFS permissions and user rights are granted to administrators (and other users that never connect through Internet) in 95% of the time The problem : A simple brute force attack to such servers may retreive administrator password which can be used in another exploit. The solution : For such users, authentication through IIS __must be denied__ even if __NTFS permissions and user rights are granted__. I wrote an ISAPI filter that do this job (not only for "administrator" user); the page can be found at http://bob.firstcodings.com/programs/authentprotect/ (source code is included). For now, please consider this filter as "beta release", so use it at your own risk ! Email me at "authentProtectat_private" for any comments/feedbacks/suggestions about this filter. Bob - firstcodings.
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 19:27:38 PST