iis security: I am using IIS 4 on an NT 4 machine with SP6. All my users
have to login using an NT account and password to get to
my website. I have changed my administrator account name
and disabled guest. Every couple of months I find that all
my accounts are disabled. When I check the logs I can see
where someone is going through all the account names and
after 2 tries the accounts lock out. How would they have
gotten a list of all the account names? and how can I stop
that. Fortunately they have not guessed and passwords.

The easiest thing to do is to block everything except what you need - TCP
port 80 (and 443) incoming and ICMP. Everything else should be closed by a
firewall unless you really need it (you may have to open things such as
DNS). Also disable everything you don't need in IIS setup (especially
filters and extensions you don't use), and in general (such as internet
printing). Now the attacker might be simple guessing account names but then
you should see account names that do not exist in the event log - there's
not much you can do about that if they're smart (and use "hijacked" machines
to do this, so you can't trace or block them).

Jerry

[quoted text, click to view]

On Tue, 30 Dec 2003 14:58:40 -0800, "Marc" <mctaysso@ralcorp.com>
[quoted text, click to view]

There are a lot of ways to enumerate the user list, but most can be
blocked by not allowing SMB or NetBIOS traffic through your firewall.
Only open ports you need.

Of course, it could be an insider... :)