IIS installation contains a default page called "localstart.asp". If the server is configured to use basic authentication or Integrated Windows authentication, it is possible to apply the brute force technique on the password of the local machine admin account,because the username is well known ("Administrator").
I want to empty the content of this localstart.asp file and remove all ...authentication schemes from it. Being a blank page that is accessible by all users, it poses no threat to the web server or the local. For some reason I not able to find this file on my Windows 2008R2 IIS Server???
thanks folks!