IIS 401 Error — Unauthorized Access Attempt

WebServerErrors IIS Brute Force / Authentication Bypass

What This Means

Diagnose IIS HTTP 401 Unauthorized errors. Learn how to detect brute force attacks, misconfigured authentication, and credential theft targeting your IIS web applications.

Example Log

2026-03-08 14:22:31 W3SVC1 WEB01 10.0.1.50 GET /admin/dashboard - 443 - 185.220.101.42 Mozilla/5.0+(compatible;+MSIE+10.0) - 401 2 5 1250

Indicators of Suspicious Activity

High volume of 401 responses from a single client IP address
401 errors targeting admin endpoints (/admin, /wp-login, /manager)
Sequential 401 attempts with different usernames (credential stuffing)
401 sub-status 1 (logon failed) in rapid succession
Mix of 401 and 200 responses suggesting eventual successful authentication
401 errors from known malicious IP ranges or Tor exit nodes

How to Investigate

Parse IIS logs and group 401 errors by client IP (c-ip) and target URI (cs-uri-stem)
Check the 401 sub-status code to determine the specific failure reason
Correlate with Windows Security Event 4625 for the same timeframe
Identify which user accounts are being targeted
Review the User-Agent strings for automated tooling signatures
Check if any 401 sequences transition to 200 (successful compromise)

Recommended Mitigations

Enable account lockout for IIS authentication (Windows or Forms-based)
Implement rate limiting or WAF rules to throttle authentication attempts
Add IP-based access restrictions for admin endpoints
Deploy MFA for web application admin interfaces
Configure IIS Failed Request Tracing for detailed 401 diagnostics
Block known-malicious User-Agent strings at the WAF level

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 3 + 6?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What does a 401 error in IIS mean? ▼

HTTP 401 means the server requires authentication that the client did not provide or provided incorrectly. IIS sub-status codes (401.1 through 401.5) give specific reasons such as logon failed, logon denied by policy, or authorization filter denied.

How can I find which accounts are being targeted? ▼

IIS logs include the cs-username field when authentication is attempted. Filter your logs for sc-status=401 and group by cs-username to see which accounts attackers are targeting.

What is the difference between 401 and 403 in IIS? ▼

401 means the client has not authenticated (or authentication failed). 403 means the client is authenticated but does not have permission to access the resource. Both can indicate security issues but have different root causes.