iis security: Hi Folks, first post. Does anyone know, is it possible
to block automated worms by locking down the default
website completely by blocking all incoming IP's, yet
having subdirectories or virtual directories under the
default web that may be more open to others? My guess is
the worms could not determine the virtual dir or subdir
names, and therefore couldn't attempt their attacks on
them. This of course assumes I wouldn't yet be patched,
which would be rare but could happen if we were still
testing the patch on development and hadn't implemented
in production yet. Thanks to all who have time to comment

On Wed, 21 Jul 2004 07:45:27 -0700, "Need Help"
[quoted text, click to view]

There are far better ways to attempt this, and basically, no. If you
lock out IP's they can't get to the site, whether they are a worm or a
legitimate user.

a) Most automated worms exploit buffer overflows in key components of IIS.
If they can get to any part of your site, they can exploit said overflow or
whatever

b) You should use perform the following steps:
- install and configure IISLockDown and/or URLScan (if running IIS 5.0
or lower)
http://www.microsoft.com/technet/security/tools/locktool.mspx

- install patches released by Microsoft
http://www.microsoft.com/technet/security/current.aspx

- enable only that functionality that is required for your site to
operate

- configure a host-header for the default website (if it does not need
to be accessed by IP address). Automated worms (as yet) are not capable of
interrogating the DNS, so they can't reach your site by host-name, only by
IP address. If no site is configured to answer requests by IP address alone,
IIS will reject the request

- follow the prescriptive guidelines from the Microsoft security centre
http://www.microsoft.com/technet/security/prodtech/iis/default.mspx

Cheers
Ken

[quoted text, click to view]