Independent of the account lockout capabilities built into the isapi authentication filter, the split between the operating system sam user database and the client user database prevents the brute forcing of builtin account passwords.

This is important because by default, the builtin administrator account cannot be disabled. If any of the native iis authentication schemes are used it is possible to mount a brute force attack against a server running IIS for an unlimited duration as long as the server remains operational ...

The system does not require or interfere with client browser cookies. Domain limited session cookies are sent by the isapi authentication filter as an additional identification mechanism, however, they are not required. Session cookies expire at the end of a browser session and are not stored on a users hard disk ...