Tom/Jim, Thanks for all of your help. I did just as suggested. I went back to server publishing and installed UrlScan on my web server. URLscan almost does the job... I guess I'll just have to live with the results. Instead of all the cmd.exe requests being logged.. it now looks like this.... 2002-03-16 08:14:17 12.217.5.203 - W3SVC1 WEBKEEPER 10.0.0.32 80 - - - 404 2 245 72 0 HTTP/1.0 www - - - 2002-03-16 08:14:17 12.217.5.203 - W3SVC1 WEBKEEPER 10.0.0.32 80 - - - 404 2 245 70 0 HTTP/1.0 www - - - 2002-03-16 08:14:17 12.217.5.203 - W3SVC1 WEBKEEPER 10.0.0.32 80 - - - 404 2 245 80 0 HTTP/1.0 www - - - Thanks again! greg ---------- Original Message ---------------------------------- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> Reply-To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Date: Sat, 16 Mar 2002 11:39:32 -0600 >http://www.ISAserver.org > > >Hmmm. I guess I'll have to take out that old Daisey pea shooter and >teach that bird a thing or two :-) > >Tom > >-----Original Message----- >From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] >Sent: Saturday, March 16, 2002 11:36 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] Re: Explicit Deny does not work, why? > >http://www.ISAserver.org > > >I can neither confirm nor deny that there is an unsubstantiated claim of >future Microsoft product functionality that might or might not have been >started by an avian creature of indeterminate description. >;-) > >Jim Harrison >MCP(NT4, W2K), A+, Network+, PCG >http://isaserver.org/authors/harrison/ >Read the books! >----- Original Message ----- >From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >Sent: Saturday, March 16, 2002 9:25 AM >Subject: [isalist] Re: Explicit Deny does not work, why? > > >http://www.ISAserver.org > > >Hi Jim, > >Aha! Yes, URLScan is the perfect solution. > >BTW -- a little bird told me that there might be a URLScan that's >approved to install on the ISA Server coming out in the near future. >That would be COOL. :-) > >Thanks! > >Tom >www.isaserver.org/shinder > > >-----Original Message----- >From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] >Sent: Saturday, March 16, 2002 10:33 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] Re: Explicit Deny does not work, why? > >http://www.ISAserver.org > > >Hi Tom, Greg, > > Unfortunately, that's the choice you have to make: >1. server publishing allows you to maintain IP addresses in the IIS >logs, >but can't help with URL filtering >2. web publishing offers great URL filtering but can't pass the original >source IP to the web server. > >Your other choice is to use server publishing and install URLScan on the >web >server: >http://www.microsoft.com/downloads/release.asp?releaseid=32571 > >Jim Harrison >MCP(NT4, W2K), A+, Network+, PCG >http://isaserver.org/authors/harrison/ >Read the books! >----- Original Message ----- >From: "Greg Foulks" <greg.foulks@xxxxxxxx> >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >Sent: Friday, March 15, 2002 10:07 AM >Subject: [isalist] Re: Explicit Deny does not work, why? > > >http://www.ISAserver.org > > >So switching over to Web Publishing works and seems to stop those >requests >from being logged. > >Is there anyway to stop these requests using Server Publishing? I need >to >use server publishing so I can get detailed information >about my visitors to my site using Webtrends. > >Thanks, > >Greg Foulks, MCP >NewFound Technologies, Inc. >http://www.nfti.com >Email: greg.foulks@xxxxxxxx >Voice: 614.318.5036 >Fax: 614.318.5005 > > >-----Original Message----- >From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] >Sent: Thursday, March 14, 2002 10:10 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] Re: Explicit Deny does not work, why? > > >http://www.ISAserver.org > > >Hi Jim, > >We found out what the problem was. He is using Server Publishing Rules. > >HTH, >Tom > >-----Original Message----- >From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] >Sent: Thursday, March 14, 2002 8:10 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] Re: Explicit Deny does not work, why? > >http://www.ISAserver.org > > >That's really a waste of your time. >If those requests are making it to your web server behind ISA, then you >need >to reexamine your publishing technique. >Code Red and Nimda requests can only get to your web server if: >1. you use server publishing for web sites >2. your web-published sites use an "all requests" destination in the >rule >Trying to deny those requests in the face of one (or both) of the above >conditions is fruitless. > >Jim Harrison >MCP(NT4, W2K), A+, Network+, PCG >http://isaserver.org/authors/harrison/ >Read the books! >----- Original Message ----- >From: "Greg Foulks" <greg.foulks@xxxxxxxx> >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >Sent: Wednesday, March 13, 2002 8:57 AM >Subject: [isalist] Explicit Deny does not work, why? > > >http://www.ISAserver.org > > >I've created a series of deny paths (incoming and outgoing) to block any >code red attempts from coming into and out of our ISA >server. > >Please see the attached files > >1) Snap shot of the ISA server Destination Set and Content Rules. >http://www.nfti.com/screen_shot.htm > >2) Below A snap shot of our logs showing the requests are still being >passed. > >Can anyone help to explain why the requests are still being allowed >through? > >Thanks, > >Greg Foulks, MCP >NewFound Technologies, Inc. >http://www.nfti.com >Email: greg.foulks@xxxxxxxx >Voice: 614.318.5036 >Fax: 614.318.5005 > > > >Server (500 Series) Errors Detail >Error Code, Timestamp and URL Occurrences % of 5xx Errors > 50003/10/2002 05:09:53/scripts/..\../winnt/system32/cmd.exe?/c+dir 1 >10.00% > 50003/10/2002 05:09:54/scripts/..\../winnt/system32/cmd.exe?/c+dir 3 >30.00% > 50003/10/2002 05:09:54/scripts/../../winnt/system32/cmd.exe?/c+dir 1 >10.00% > 50003/10/2002 09:50:31/scripts/..\../winnt/system32/cmd.exe?/c+dir 1 >10.00% > 50003/10/2002 09:50:34/scripts/../../winnt/system32/cmd.exe?/c+dir 1 >10.00% > 50003/10/2002 09:50:34/scripts/..\../winnt/system32/cmd.exe?/c+dir 3 >30.00% >Total for Errors Above 10 100.00% > >Greg Foulks, MCP >NewFound Technologies, Inc. >http://www.nfti.com >Email: greg.foulks@xxxxxxxx >Voice: 614.318.5036 >Fax: 614.318.5005 > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >jim@xxxxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >tshinder@xxxxxxxxxxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >greg.foulks@xxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >jim@xxxxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >tshinder@xxxxxxxxxxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >jim@xxxxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >tshinder@xxxxxxxxxxxxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > ________________________________________________________________ Sent via the NewFound Technologies, Inc. - WebMail system at mail.nfti.com