locked
Local/Domain Guest user asccount disabled... RRS feed

  • Question

  • User-628252253 posted

    Hi

    I'm running IIS 6 on a Domain member Windows 2003 Server.

    Yesterday my intranet website started to prompt user for authentification (usually Guest) and when users entered their credentials, nothing!  No one was able use the intranet website.  I found out that my local Guest account has been disabled due to unsuccessful logon attempt, so i reactivated it.
    This is weird, the account used for the intranet website is the domain Guest account, not the local guest account

    Today same problem, people calling to tell me they can't access the intranet website.  As i was going to reactivate the local guest account i noticed it was not disabled but the Domain guest account was....

    Anyone have any idea what might be going on?

    btw it can't be brute force attempt, i checked.... that's why i'm so confused...

    Thx

     

    Thursday, January 18, 2007 9:24 AM

All replies

  • User-628252253 posted

    you guys have any ideas?

    Anything!... something to get me started on resolving this issue

    Any suggestion on what to look for? My logfiles doesn't say much so i'm lost!

    I need your help guys!

    thx

    Thursday, January 18, 2007 1:11 PM
  • User-823196590 posted
    Not sure what you mean by guests accounts and how that relates to IIS, but I saw a similar issue a few years ago where there was some malicous code on the network that was repeatedly trying to logon with common account names (and bad passwords of coruse) that caused a similar web site lockout.  What's the name of the "guest" account you're using?  Is it something that could be common?
    Thursday, January 18, 2007 3:25 PM
  • User-628252253 posted

    The guest account is the default user "Guest" created when Windows is installed.  I don't know for sure it's related to IIS but IIS made me aware immediately that something was wrong, i'm using this account for my intranet website so when IIS started to ask my users for credientials when they tried to log on the intranet i knew the account was disabled.  My log files doesn't say much but it looks like IIS caused the unsuccessfull logons with this account (which got it disabled).....which is really weird and makes no sense.... but it could be like you said some malicious code ("Guest" is a default user so it looks like it).  I'm pretty sure my servers are free of any worm of malicious code due to all of what's in place to prevent such a thing....

    N.B : it happened with both Local and Domain "Guest" user, that's the weirdest part...

    I'll double check

    If you got any other ideas let me know!

    Thx again

    Thursday, January 18, 2007 4:07 PM
  • User989702501 posted

    It should be the iusr_computer account and not the guest account. and by default the guest is account is disabled isn't it?

    I think you should enable logon auditing, to see what account is trying to logon, etc
    Then look at the IIS log files for more clues.

     

    Friday, January 19, 2007 1:02 AM
  • User-823196590 posted
    ... and the malicious code is not necessarily on your servers but on another machine connected to your network.
    Friday, January 19, 2007 8:27 AM
  • User-628252253 posted

    We're using the Domain Guest account instead of iusr_computer.

    The account trying to logon is the Guest account and comes from the server itself, it's like IIS is trying to logon using his settings but enters a wrong password hehe.

     

    I'm running out of options here, it's way too weird!

     If you guys have any other ideas i'm all ears!

    Thx

    Tuesday, January 23, 2007 4:49 PM
  • User-823196590 posted
    Does the guest password as specified in the IIS MMC for the anonymous user match the account's actual password?
    Tuesday, January 23, 2007 5:21 PM
  • User989702501 posted

    Post the relevant event viewer and IIS log entires here...

     

    Wednesday, January 24, 2007 9:06 PM
  • User-628252253 posted

    Yes Tom they match, people log on the intranet website on a regular basis (at least 500 times/day), so the password is correct.

    Sorry Bernard, i don't have the logs with me anymore since i couldn't find anything usefull, but as soon as i have a chance i'll grab them (i moved into another building not linked to my old office).

    Have a great Weekend everyone!!!!

     

    Friday, January 26, 2007 4:57 PM
  • User989702501 posted

    No problem, post it here once you've got it.

     

    Sunday, January 28, 2007 10:27 PM