|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bob at firstcodings (bob
firstcodings.com)Date: Tue Mar 05 2002 - 17:55:24 CST
Hi members,
I wrote an ISAPI filter that _deny_ user authentication through IIS even if
NTFS permissions and user rights are _granted_.
The facts :
* "Basic authentication" is widely used by IIS on Internet (IIS 4 and 5)
* NTFS permissions and user rights are granted to administrators (and other
users that never connect through Internet) in 95% of the time
The problem :
A simple brute force attack to such servers may retreive administrator
password which can be used in another exploit.
The solution :
For such users, authentication through IIS __must be denied__ even if __NTFS
permissions and user rights are granted__.
I wrote an ISAPI filter that do this job (not only for "administrator"
user); the page can be found at
http://bob.firstcodings.com/programs/authentprotect/ (source code is
included). For now, please consider this filter as "beta release", so use it
at your own risk !
Email me at "authentProtectfirstcodings.net" for any
comments/feedbacks/suggestions about this filter.
Bob - firstcodings.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]