Hello,
On a dedicated Windows 2003 server, while reviewing the Security Event Logs, I noticed a log of failed logon hacker attempts which were listed as:
Event ID 529
Logon Type: 8
Logon Process: IIS
Reason: Unknown user name or bad password
Source IP: blank

Since these were NOT related to NTLM Authentication Package (Logon Process: NtLmSsp) but, rather, IIS, I imediately knew to check if Integrated Windows Authentication was enabled on the websites hosted in ISS6. Indeed it was enabled and I immediately
disabled and restarted IIS to be certain the changes were applied.
What I would appreciate is a better understanding of how these attacks are carried out, as nothing in the hosted .ASP website utilizes Windows Authentication whatsoever.
In addition to disabling Integrated Windows Auth in ISS, is there something that could also be added to the Windows Firewall which is engaged on this server?
Thanks in advance for any insight.

Need to support users over the internet? click here try our remote control online beta

Need to support users over the internet? click here try our remote control online beta

Hi,

please visit IIS Security forum to get a better resolution:


http://forums.iis.net/


Thanks for your understanding!

Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi,

please visit IIS Security forum to get a better resolution:


http://forums.iis.net/


Thanks for your understanding!

Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta