failed login attempts

[Gary]

We have been receiving many failed login attempts by
unknown users, recorded in our security event logs on our
web server. We only allow traffic to flow through ports 80
and 443 inbound on our perimeter firewall. Outbound
traffic is restricted to DNS queries only. The servers
have
been hardened and patches applied.
What we want to try to discover is what is
actually allowing somebody to enter login credentials as
there isn't as far as we are aware anywhere on the site
that permits this. Is there any way of finding this hole?
Many thanks in advance

 

[Steven L Umbach]

Hi Gary.

I would verify that your firewalls are still configured correctly and that file and
print sharing is not enabled on those servers - particularly the external adapters.
After that you may be able to find some info in your IIS logs by correlating them
with the times of the failed logon attempts. I am do not have much experience with
IIS and suggest you also post in the Microsoft.public.inetserver.iissecurity
newsgroup. My guess is if they do not have file and print sharing access, they are
somehow trying to access files that are not authorized for anonymous internet
connections. I know it is highly recommended that IIS Lockdown tool that will also
run Urlscan be implemented on any IIS server after backing it up and the IIS
configuration. --- Steve

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

 

[Gary]

Hi Steve

Firewalls are still configured correctly and file and
print sharing is not enabled. IIS Lockdown has been run
and Urlscan has been implemented. I have also figured that
it is probably a page with no anonymous access. Do you
know if there are any tools to find this sort of page?
Many thanks --- Gary

 

[Steven L Umbach]

Hi Gary. Not offhand. The folks in the IIS Security newsgroup may be able to help out
with that. Maybe log entries can give a clue. Good luck. --- Steve