Vulnerability

    IIS

Affected

    IIS

Description

    Nicholas Staff found following.  The IUSR_COMPUTERNAME account  is
    governed by account lockout policies and can be locked out.   This
    is the default  account used by  IIS for anonymous  web access and
    when it is locked out anonymous access is denied.  Any IIS  server
    with  a  lockout   policy  that  can   be  made  to   prompt   for
    authentication   is   vulnerable.    Additionally   nearly   every
    Internal/Corporate web  site running  on IIS  can be  shut down by
    any employee on their network.

    Steps to reproduce:
    * Server Setup:
    - Configure a machine with NT 4.0 Server and the name EXAMPLENAME
    - Configure a static IP address (for this example 192.168.0.1)
    - Install IIS  and configure it  to host a  web site (use  default
      settings)
    - Ensure the account IIS uses for anonymous access is left at  the
      default IUSR_EXAMPLENAME
    - Configure the machines Account Lockout Policy as follows:
      Account lockout duration:  0
      Account lockout threshold:  3
      Reset account lockout counter after:   60 minutes

    * Client Setup:
    - Configure  a  machine  with  NT 4.0 Workstation (for  simplicity
      place it on  same network segment  as the server  with an IP  of
      192.168.0.2)
    - Make a new local account named uniqueusername
    - Log off and then back on as this new user
    - Go to start > run and type "\\192.168.0.1\admin$" without quotes
    - When  prompted for  a Username/password  use:   IUSR_EXAMPLENAME
      for the username and  for the password type  "ytur679ftr7git9g7"
      (or anything equally absurd)
    - Repeat the last 2 steps 4 times
    - Open IE and in the address bar type:   http://192.168.0.1
    - You will receive an error page telling you access has been denied

Solution

    Microsoft  Security  was  contacted  and   states this is intended
    functionality.