failed login attempts

Toggle sidebar Toggle sidebar
G

gary

Distinguished
Dec 31, 2007
1,052
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

We have been receiving many failed login attempts by
unknown users, recorded in our security event logs on our
web server. We only allow traffic to flow through ports 80
and 443 inbound on our perimeter firewall. Outbound
traffic is restricted to DNS queries only. The servers
have
been hardened and patches applied.
What we want to try to discover is what is
actually allowing somebody to enter login credentials as
there isn't as far as we are aware anywhere on the site
that permits this. Is there any way of finding this hole?
Many thanks in advance
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Gary.

I would verify that your firewalls are still configured correctly and that file and
print sharing is not enabled on those servers - particularly the external adapters.
After that you may be able to find some info in your IIS logs by correlating them
with the times of the failed logon attempts. I am do not have much experience with
IIS and suggest you also post in the Microsoft.public.inetserver.iissecurity
newsgroup. My guess is if they do not have file and print sharing access, they are
somehow trying to access files that are not authorized for anonymous internet
connections. I know it is highly recommended that IIS Lockdown tool that will also
run Urlscan be implemented on any IIS server after backing it up and the IIS
configuration. --- Steve

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

"Gary" <anonymous@discussions.microsoft.com> wrote in message
news:a2d201c47947$8e53c4f0$a501280a@phx.gbl...
> We have been receiving many failed login attempts by
> unknown users, recorded in our security event logs on our
> web server. We only allow traffic to flow through ports 80
> and 443 inbound on our perimeter firewall. Outbound
> traffic is restricted to DNS queries only. The servers
> have
> been hardened and patches applied.
> What we want to try to discover is what is
> actually allowing somebody to enter login credentials as
> there isn't as far as we are aware anywhere on the site
> that permits this. Is there any way of finding this hole?
> Many thanks in advance
 
G

gary

Distinguished
Dec 31, 2007
1,052
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve

Firewalls are still configured correctly and file and
print sharing is not enabled. IIS Lockdown has been run
and Urlscan has been implemented. I have also figured that
it is probably a page with no anonymous access. Do you
know if there are any tools to find this sort of page?
Many thanks --- Gary
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Gary. Not offhand. The folks in the IIS Security newsgroup may be able to help out
with that. Maybe log entries can give a clue. Good luck. --- Steve


"Gary" <anonymous@discussions.microsoft.com> wrote in message
news:c02c01c47a08$5b8a64e0$a401280a@phx.gbl...
> Hi Steve
>
> Firewalls are still configured correctly and file and
> print sharing is not enabled. IIS Lockdown has been run
> and Urlscan has been implemented. I have also figured that
> it is probably a page with no anonymous access. Do you
> know if there are any tools to find this sort of page?
> Many thanks --- Gary
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom