Microsoft IIS5 NTLM and Basic authentication bypass
Description
Microsoft Internet Information Services version 5 (IIS5) contains an authentication bypass vulnerability in its hit-highlighting functionality. This feature, designed to open and highlight portions of site content, can be exploited to access protected resources without providing valid credentials. Attackers can leverage this flaw to circumvent both NTLM and Basic authentication mechanisms that would normally restrict access to sensitive files and directories.
Remediation
Implement the following remediation steps:
1. Apply Defense in Depth: Configure NTFS file system permissions to restrict access to sensitive files and directories independently of IIS authentication. Ensure that the IUSR and IWAM accounts have minimal necessary permissions.
2. Upgrade IIS: Microsoft recommends migrating from IIS5 to IIS6 or later versions, which address this vulnerability and provide enhanced security features.
3. Apply Security Patches: Install all available security updates for IIS5 if immediate migration is not feasible.
4. Disable Hit-Highlighting: If the hit-highlighting feature is not required, disable it to eliminate this attack vector.
5. Implement Additional Controls: Consider deploying a web application firewall (WAF) or reverse proxy to provide an additional layer of authentication and access control.