Re: Explicit Deny does not work, why?

Tom/Jim,
Thanks for all of your help. I did just as suggested. I went back 
to server publishing and installed UrlScan on my web server.

URLscan almost does the job... I guess I'll just have to live with 
the results.

Instead of all the cmd.exe requests being logged.. it now looks 
like this....

2002-03-16 08:14:17 12.217.5.203 - W3SVC1 WEBKEEPER 10.0.0.32 80 -
 - - 404 2 245 72 0 HTTP/1.0 www - - -
2002-03-16 08:14:17 12.217.5.203 - W3SVC1 WEBKEEPER 10.0.0.32 80 -
 - - 404 2 245 70 0 HTTP/1.0 www - - -
2002-03-16 08:14:17 12.217.5.203 - W3SVC1 WEBKEEPER 10.0.0.32 80 -
 - - 404 2 245 80 0 HTTP/1.0 www - - -


Thanks again!

greg
---------- Original Message ----------------------------------
From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
Reply-To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Sat, 16 Mar 2002 11:39:32 -0600

>http://www.ISAserver.org
>
>
>Hmmm. I guess I'll have to take out that old Daisey pea shooter 
and
>teach that bird a thing or two :-)
>
>Tom
>
>-----Original Message-----
>From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
>Sent: Saturday, March 16, 2002 11:36 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: Explicit Deny does not work, why?
>
>http://www.ISAserver.org
>
>
>I can neither confirm nor deny that there is an unsubstantiated 
claim of
>future Microsoft product functionality that might or might not 
have been
>started by an avian creature of indeterminate description.
>;-)
>
>Jim Harrison
>MCP(NT4, W2K), A+, Network+, PCG
>http://isaserver.org/authors/harrison/
>Read the books!
>----- Original Message -----
>From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Saturday, March 16, 2002 9:25 AM
>Subject: [isalist] Re: Explicit Deny does not work, why?
>
>
>http://www.ISAserver.org
>
>
>Hi Jim,
>
>Aha! Yes, URLScan is the perfect solution.
>
>BTW --  a little bird told me that there might be a URLScan that's
>approved to install on the ISA Server coming out in the near 
future.
>That would be COOL. :-)
>
>Thanks!
>
>Tom
>www.isaserver.org/shinder
>
>
>-----Original Message-----
>From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
>Sent: Saturday, March 16, 2002 10:33 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: Explicit Deny does not work, why?
>
>http://www.ISAserver.org
>
>
>Hi Tom, Greg,
>
>    Unfortunately, that's the choice you have to make:
>1. server publishing allows you to maintain IP addresses in the 
IIS
>logs,
>but can't help with URL filtering
>2. web publishing offers great URL filtering but can't pass the 
original
>source IP to the web server.
>
>Your other choice is to use server publishing and install URLScan 
on the
>web
>server:
>http://www.microsoft.com/downloads/release.asp?releaseid=32571
>
>Jim Harrison
>MCP(NT4, W2K), A+, Network+, PCG
>http://isaserver.org/authors/harrison/
>Read the books!
>----- Original Message -----
>From: "Greg Foulks" <greg.foulks@xxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Friday, March 15, 2002 10:07 AM
>Subject: [isalist] Re: Explicit Deny does not work, why?
>
>
>http://www.ISAserver.org
>
>
>So switching over to Web Publishing works and seems to stop those
>requests
>from being logged.
>
>Is there anyway to stop these requests using Server Publishing? I 
need
>to
>use server publishing so I can get detailed information
>about my visitors to my site using Webtrends.
>
>Thanks,
>
>Greg Foulks, MCP
>NewFound Technologies, Inc.
>http://www.nfti.com
>Email: greg.foulks@xxxxxxxx
>Voice: 614.318.5036
>Fax: 614.318.5005
>
>
>-----Original Message-----
>From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
>Sent: Thursday, March 14, 2002 10:10 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: Explicit Deny does not work, why?
>
>
>http://www.ISAserver.org
>
>
>Hi Jim,
>
>We found out what the problem was. He is using Server Publishing 
Rules.
>
>HTH,
>Tom
>
>-----Original Message-----
>From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
>Sent: Thursday, March 14, 2002 8:10 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: Explicit Deny does not work, why?
>
>http://www.ISAserver.org
>
>
>That's really a waste of your time.
>If those requests are making it to your web server behind ISA, 
then you
>need
>to reexamine your publishing technique.
>Code Red and Nimda requests can only get to your web server if:
>1. you use server publishing for web sites
>2. your web-published sites use an "all requests" destination in 
the
>rule
>Trying to deny those requests in the face of one (or both) of the 
above
>conditions is fruitless.
>
>Jim Harrison
>MCP(NT4, W2K), A+, Network+, PCG
>http://isaserver.org/authors/harrison/
>Read the books!
>----- Original Message -----
>From: "Greg Foulks" <greg.foulks@xxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Wednesday, March 13, 2002 8:57 AM
>Subject: [isalist] Explicit Deny does not work, why?
>
>
>http://www.ISAserver.org
>
>
>I've created a series of deny paths (incoming and outgoing) to 
block any
>code red attempts from coming into and out of our ISA
>server.
>
>Please see the attached files
>
>1) Snap shot of the ISA server Destination Set and Content Rules.
>http://www.nfti.com/screen_shot.htm
>
>2) Below A snap shot of our logs showing the requests are still 
being
>passed.
>
>Can anyone help to explain why the requests are still being 
allowed
>through?
>
>Thanks,
>
>Greg Foulks, MCP
>NewFound Technologies, Inc.
>http://www.nfti.com
>Email: greg.foulks@xxxxxxxx
>Voice: 614.318.5036
>Fax: 614.318.5005
>
>
>
>Server (500 Series) Errors Detail
>Error Code, Timestamp and URL Occurrences % of 5xx Errors
>  50003/10/2002 
05:09:53/scripts/..\../winnt/system32/cmd.exe?/c+dir 1
>10.00%
>  50003/10/2002 
05:09:54/scripts/..\../winnt/system32/cmd.exe?/c+dir 3
>30.00%
>  50003/10/2002 
05:09:54/scripts/../../winnt/system32/cmd.exe?/c+dir 1
>10.00%
>  50003/10/2002 
09:50:31/scripts/..\../winnt/system32/cmd.exe?/c+dir 1
>10.00%
>  50003/10/2002 
09:50:34/scripts/../../winnt/system32/cmd.exe?/c+dir 1
>10.00%
>  50003/10/2002 
09:50:34/scripts/..\../winnt/system32/cmd.exe?/c+dir 3
>30.00%
>Total for Errors Above 10 100.00%
>
>Greg Foulks, MCP
>NewFound Technologies, Inc.
>http://www.nfti.com
>Email: greg.foulks@xxxxxxxx
>Voice: 614.318.5036
>Fax: 614.318.5005
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>jim@xxxxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>tshinder@xxxxxxxxxxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>greg.foulks@xxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>jim@xxxxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>tshinder@xxxxxxxxxxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>jim@xxxxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as:
>tshinder@xxxxxxxxxxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion 
List as: greg.foulks@xxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
 

________________________________________________________________
Sent via the NewFound Technologies, Inc. - WebMail system at 
mail.nfti.com


 
                   


Other related posts: