Protection of Builtin Accounts

Independent of the account lockout capabilities built into the isapi authentication filter, the split between the operating system sam user database and the client user database prevents the brute forcing of builtin account passwords.

This is important because by default, the builtin administrator account cannot be disabled. If any of the native iis authentication schemes are used it is possible to mount a brute force attack against a server running IIS for an unlimited duration as long as the server remains operational. During this time the server cannot be prevented from answering with a success/failure status for each password attempted.

In addition to the risk of compromising such a powerful account, the cost of the bandwidth consumed in such an attack on a publicly reachable server can be staggering. Responsiveness of the system to legitimate users is also significantly degraded during such an automated attack. Attacks have been observed sending over 10,000 login requests per hour. One site logged 780,000 requests in a 72 hour period of one such recent attack.