Description:

The IUSR_COMPUTERNAME account is governed by account lockout policies
and can be locked out. This is the default account used by IIS for
anonymous web access and when it is locked out anonymous access is
denied. Any IIS server with a lockout policy that can be made to prompt
for authentication is vulnerable. Additionally nearly every
Internal/Corporate web site running on IIS can be shut down by any
employee on their network.

Steps to reproduce:

Server Setup:
- Configure a machine with NT 4.0 Server and the name EXAMPLENAME
- Configure a static IP address (for this example 192.168.0.1)
- Install IIS and configure it to host a web site (use default settings)
- Ensure the account IIS uses for anonymous access is left at the
default IUSR_EXAMPLENAME
- Configure the machines Account Lockout Policy as follows:
Account lockout duration: 0
Account lockout threshold: 3
Reset account lockout counter after: 60 minutes

Client Setup:
- Configure a machine with NT 4.0 Workstation (for simplicity place it
on same network segment as the server with an IP of 192.168.0.2)
- Make a new local account named uniqueusername
- Log off and then back on as this new user
- Go to start > run and type "\\192.168.0.1\admin$" without quotes
- When prompted for a Username/password use: IUSR_EXAMPLENAME for the
username and for the password type "ytur679ftr7git9g7" (or anything
equally absurd)
- Repeat the last 2 steps 4 times
- Open IE and in the address bar type: http://192.168.0.1
- You will receive an error page telling you access has been denied

Microsoft Security was contacted and states this is intended
functionality.

Thanks,

Nicholas Staff

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]