|
Home > Archive > IIS Server Security > July 2006 > how can I stop attempted logons by hackers through IIS?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
how can I stop attempted logons by hackers through IIS?
|
|
| mrecomm101 2006-07-03, 12:40 pm |
| I am running Windows Server 2003. I'm getting tens of thousands of scripted
attempts to logon through IIS. I've got green checks all through my Baseline
Security Analyser and I'm running Windows Firewall. I get this event:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: SERVER NAME
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAG
E_V1_0
Workstation Name: SERVER NAME
Caller User Name: SERVER NAME
Caller Domain: XXXXX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 284
Transited Services: -
Source Network Address: -
Source Port: -
These attempts have not been successful, but that doesn't mean they can't be
in the future. Any suggestions on how I can button this hole up?
Thanks!
| |
| Roger Abell [MVP] 2006-07-07, 1:20 am |
| It helps, believe it or not, when a message is posted in its original
rather than editied form. Due to this it is not possible to help you
out as to from where the attempts originate.
However, the logon type shows that this is an attempt at clear text,
basic authentication. That should never be happening if all of your
web content is anonymously browsable. If some is supposed to
be restricted access, and basic authN is needed, then there is not
much you can do, as IIS would be exposing what is needed.
If you have a specific real pest doing this, then block their origin
IP is about all you could try to do.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"mrecomm101" <mrecomm101@discussions.microsoft.com> wrote in message
news:48415347-97CC-47D1-905C-B16CD2062927@microsoft.com...
>I am running Windows Server 2003. I'm getting tens of thousands of scripted
> attempts to logon through IIS. I've got green checks all through my
> Baseline
> Security Analyser and I'm running Windows Firewall. I get this event:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: SERVER NAME
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: SERVER NAME
> Caller User Name: SERVER NAME
> Caller Domain: XXXXX
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 284
> Transited Services: -
> Source Network Address: -
> Source Port: -
> These attempts have not been successful, but that doesn't mean they can't
> be
> in the future. Any suggestions on how I can button this hole up?
>
> Thanks!
|
|
|
|
|