Brute force in IIS

Manieendar Mohan
Published on
07 Apr 2024
4 min read

Brute force is a trial-and-error method of attack. It is used to obtain sensitive information. This information includes user passwords, PIN number etc.

In a brute force attack, automated software is used to generate values using permutation and combination.

This process continues until the barrier is broken. Brute force attacks are used by criminals to crack encrypted data. This method is also used by security analysts to test network security. There are other names for brute force attacks like brute force cracking or simply brute force.

If a server is configured to use basic authentication or Integrated Windows authentication, then it is vulnerable to brute force attacks on the password of the local machine admin account. If a server is using Windows IIS, it will have a default page localstart.asp.


Microsoft’s IIS server has a default page “localstart.asp”.

This page is protected by NTLM authentication by default. An attacker can use a brute force attack to gain authentication credentials.

The resultant will give the attacker admin access.

What are the impacts of brute force attack?

Brute force attacks on Microsoft’s Internet Information Services (IIS) web server involve attackers attempting to gain unauthorized access to a system by systematically trying various combinations of usernames and passwords until they find the correct credentials.

Here’s how this type of attack can be exploited:

1. Username and Password Guessing

Attackers use automated tools to repeatedly try different usernames and passwords to find valid login credentials.

These tools can use various wordlists, dictionaries, and patterns to guess passwords.

2. Targeting weak passwords

Brute force attacks are particularly effective against weak passwords, such as common words, default passwords, or passwords that can be easily guessed.

Attackers rely on users’ poor password practices.

3. Credential stuffing

Attackers who have acquired username and password combinations from previous data breaches or leaks may use those same credentials to attempt unauthorized access to other accounts on different services, including IIS.

4. Lockout and account enumeration

Repeated login attempts can lead to the lockout of user accounts. Attackers might intentionally use incorrect usernames to identify valid accounts based on server responses (account enumeration).

5. Resource consumption

Brute force attacks can consume server resources, including CPU cycles and network bandwidth, potentially impacting the performance and availability of the IIS server.

How can you prevent brute force attacks in IIS?

To prevent and mitigate brute force attacks in Microsoft’s Internet Information Services (IIS) web server, you can implement a combination of security measures to protect your system.

Here are some effective strategies:

1. Strong password policies

Enforce strong password policies that require users to create passwords with a combination of uppercase and lowercase letters, numbers, and special characters.

Discourage the use of easily guessable passwords.

2. Account lockout

Implement an account lockout mechanism that locks user accounts after a certain number of failed login attempts.

This prevents attackers from making unlimited guesses.

3. IP blocking and rate limiting

Configure IP blocking or rate limiting rules to restrict the number of logins attempts from a single IP address within a specific time frame.

This helps deter brute force attacks.

4. CAPTCHA challenges

Integrate CAPTCHA challenges on login forms. CAPTCHAs require users to solve puzzles that are easy for humans but difficult for automated bots, effectively thwarting automated attacks.

5. Two-Factor authentication (2FA)

Implement 2FA to require users to provide a second form of verification, such as a time-based one-time password (TOTP) or a mobile app code, in addition to their password.

6. User account monitoring

Monitor user accounts for suspicious activities, such as multiple failed login attempts within a short period.

Detecting anomalies early can help prevent successful attacks.

7. Web Application Firewall (WAF)

Deploy a WAF that can identify and block malicious traffic, including brute force attempts, before they reach the IIS server.

8. Logging and monitoring

Enable logging for login attempts and review logs regularly for signs of unusual activity. Set up alerts to notify you of a high number of failed login attempts.

9. Geo-Blocking

If your application’s legitimate user base is primarily from specific regions, consider implementing geo-blocking to restrict access from known high-risk regions.

10. Intrusion Detection Systems (IDS)

Employ IDS or intrusion prevention systems to monitor network traffic for suspicious patterns and act when malicious activities are detected.

By implementing these preventive measures and adopting a multi-layered security approach, you can significantly reduce the risk of successful brute force attacks on your IIS server and enhance the overall security of your web applications.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.