IUSR lockout

TheMSsForum.com: The Microsoft Software Forum

All,
I tried to repeat a problem I was able to get to work before, but I am not
having any luck. I thought I was able to create a DOS on a web server by
locking out the IUSR account at one point. However, when I lock it out now,
I can't seem to get it to cause a DOS. The links and everything else seems
to behave normally even after locking out that account. Any thoughts on
what I may be doing wrong?
FYI, to do this, I created a test directory, and a user named test. For the
test directory, I allowed only the test user, administrators, and system to
have access to that folder. IIS was set to Integrated Auth, and Allow Anon
access. I thought I was able to demonstrate this problem before, but for
some reason I can't get it to work now. Thoughts?

Thanks,
Pair
Top

Re: IUSR lockout by S

S
Fri Aug 08 02:21:54 CDT 2003

Let me think... I haven't tried this:

Set account lockout policy to lock an account out after 3 unsuccessful logon
attempts
Make test a virtual directory on the web server (remember: IUSR doesn't have
access to the directory)
Access http://yourserver/test. Authentication dialog will pop up.

Put IUSR_yourserver as the name and rubbish as the password 3 times.

This will probably lock IUSR out. Rename IUSR account and don't disclose it;
use SSL certificate authentication instead.

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-

"TwistedPair" <twistedpair@mail.com> wrote in message
news:#Q3aeQWXDHA.1900@TK2MSFTNGP10.phx.gbl...
> All,
> I tried to repeat a problem I was able to get to work before, but I am not
> having any luck. I thought I was able to create a DOS on a web server by
> locking out the IUSR account at one point. However, when I lock it out
now,
> I can't seem to get it to cause a DOS. The links and everything else
seems
> to behave normally even after locking out that account. Any thoughts on
> what I may be doing wrong?
> FYI, to do this, I created a test directory, and a user named test. For
the
> test directory, I allowed only the test user, administrators, and system
to
> have access to that folder. IIS was set to Integrated Auth, and Allow
Anon
> access. I thought I was able to demonstrate this problem before, but for
> some reason I can't get it to work now. Thoughts?
>
> Thanks,
> Pair
>
>


Top

Re: IUSR lockout by TwistedPair

TwistedPair
Fri Aug 08 09:22:27 CDT 2003

Thanks for your suggestion. That was how I had tried it, but no workie. The
account gets locked out, but IIS still keeps serving up pages happily. Any
other ideas?

Thank you,
Pair

"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
news:egHVJ3XXDHA.2620@TK2MSFTNGP09.phx.gbl...
> Let me think... I haven't tried this:
>
> Set account lockout policy to lock an account out after 3 unsuccessful
logon
> attempts
> Make test a virtual directory on the web server (remember: IUSR doesn't
have
> access to the directory)
> Access http://yourserver/test. Authentication dialog will pop up.
>
> Put IUSR_yourserver as the name and rubbish as the password 3 times.
>
> This will probably lock IUSR out. Rename IUSR account and don't disclose
it;
> use SSL certificate authentication instead.
>
> --
> Svyatoslav Pidgorny, MS MVP, MCSE
> -= F1 is the key =-
>
> "TwistedPair" <twistedpair@mail.com> wrote in message
> news:#Q3aeQWXDHA.1900@TK2MSFTNGP10.phx.gbl...
> > All,
> > I tried to repeat a problem I was able to get to work before, but I am
not
> > having any luck. I thought I was able to create a DOS on a web server
by
> > locking out the IUSR account at one point. However, when I lock it out
> now,
> > I can't seem to get it to cause a DOS. The links and everything else
> seems
> > to behave normally even after locking out that account. Any thoughts on
> > what I may be doing wrong?
> > FYI, to do this, I created a test directory, and a user named test. For
> the
> > test directory, I allowed only the test user, administrators, and system
> to
> > have access to that folder. IIS was set to Integrated Auth, and Allow
> Anon
> > access. I thought I was able to demonstrate this problem before, but
for
> > some reason I can't get it to work now. Thoughts?
> >
> > Thanks,
> > Pair
> >
> >
>
>


Top

Re: IUSR lockout by TwistedPair

TwistedPair
Fri Aug 08 09:58:06 CDT 2003

Nevermind, it just took a while to take effect . . .

Pair
"TwistedPair" <twistedpair@mail.com> wrote in message
news:OOdTDibXDHA.2516@TK2MSFTNGP09.phx.gbl...
> Thanks for your suggestion. That was how I had tried it, but no workie.
The
> account gets locked out, but IIS still keeps serving up pages happily.
Any
> other ideas?
>
> Thank you,
> Pair
>
> "S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
> news:egHVJ3XXDHA.2620@TK2MSFTNGP09.phx.gbl...
> > Let me think... I haven't tried this:
> >
> > Set account lockout policy to lock an account out after 3 unsuccessful
> logon
> > attempts
> > Make test a virtual directory on the web server (remember: IUSR doesn't
> have
> > access to the directory)
> > Access http://yourserver/test. Authentication dialog will pop up.
> >
> > Put IUSR_yourserver as the name and rubbish as the password 3 times.
> >
> > This will probably lock IUSR out. Rename IUSR account and don't disclose
> it;
> > use SSL certificate authentication instead.
> >
> > --
> > Svyatoslav Pidgorny, MS MVP, MCSE
> > -= F1 is the key =-
> >
> > "TwistedPair" <twistedpair@mail.com> wrote in message
> > news:#Q3aeQWXDHA.1900@TK2MSFTNGP10.phx.gbl...
> > > All,
> > > I tried to repeat a problem I was able to get to work before, but I am
> not
> > > having any luck. I thought I was able to create a DOS on a web server
> by
> > > locking out the IUSR account at one point. However, when I lock it
out
> > now,
> > > I can't seem to get it to cause a DOS. The links and everything else
> > seems
> > > to behave normally even after locking out that account. Any thoughts
on
> > > what I may be doing wrong?
> > > FYI, to do this, I created a test directory, and a user named test.
For
> > the
> > > test directory, I allowed only the test user, administrators, and
system
> > to
> > > have access to that folder. IIS was set to Integrated Auth, and Allow
> > Anon
> > > access. I thought I was able to demonstrate this problem before, but
> for
> > > some reason I can't get it to work now. Thoughts?
> > >
> > > Thanks,
> > > Pair
> > >
> > >
> >
> >
>
>


Top