how can I stop attempted logons by hackers through IIS?

how can I stop attempted logons by hackers through IIS?

am 03.07.2006 19:40:02 von mrecomm101

I am running Windows Server 2003. I'm getting tens of thousands of scripted
attempts to logon through IIS. I've got green checks all through my Baseline
Security Analyser and I'm running Windows Firewall. I get this event:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: SERVER NAME
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER NAME
Caller User Name: SERVER NAME
Caller Domain: XXXXX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 284
Transited Services: -
Source Network Address: -
Source Port: -
These attempts have not been successful, but that doesn't mean they can't be
in the future. Any suggestions on how I can button this hole up?

Thanks!

Re: how can I stop attempted logons by hackers through IIS?

am 06.07.2006 20:53:10 von Roger Abell

It helps, believe it or not, when a message is posted in its original
rather than editied form. Due to this it is not possible to help you
out as to from where the attempts originate.
However, the logon type shows that this is an attempt at clear text,
basic authentication. That should never be happening if all of your
web content is anonymously browsable. If some is supposed to
be restricted access, and basic authN is needed, then there is not
much you can do, as IIS would be exposing what is needed.
If you have a specific real pest doing this, then block their origin
IP is about all you could try to do.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"mrecomm101" wrote in message
news:48415347-97CC-47D1-905C-B16CD2062927@microsoft.com...
>I am running Windows Server 2003. I'm getting tens of thousands of scripted
> attempts to logon through IIS. I've got green checks all through my
> Baseline
> Security Analyser and I'm running Windows Firewall. I get this event:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: SERVER NAME
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: SERVER NAME
> Caller User Name: SERVER NAME
> Caller Domain: XXXXX
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 284
> Transited Services: -
> Source Network Address: -
> Source Port: -
> These attempts have not been successful, but that doesn't mean they can't
> be
> in the future. Any suggestions on how I can button this hole up?
>
> Thanks!