The accessible nature of web based applications together
with the ease of writing automated login scripts mean that it is relatively
easy to write a script to automatically guess website login credentials. The
task is made even easier if the malicious user already knows a login name or
the website does not support the use of strong passwords (i.e. case sensitive,
mixed case passwords mandatory or passwords that include non-alphanumeric
characters).
For this reason, it is recommended to ensure that each
session has a limit to the number of failed login attempts. Since most automated
HTTP scripting methods do not support sessions, it is also recommended to
ensure there are not more than a certain number of failed login attempts from a
specific IP address in a specific time period.
Monitoring the IIS web server log files for signs of
repeated, failed login attempts is also highly recommended. A utility such as
Microsoft's Log Parser (http://www.logparser.com/)
can be used to achieve this.
It may also be worth considering either temporarily or
permanently disabling the accounts of users that appear to have a large number
of failed login attempts in a specific time period.