That's really a waste of your time. If those requests are making it to your web server behind ISA, then you need to reexamine your publishing technique. Code Red and Nimda requests can only get to your web server if: 1. you use server publishing for web sites 2. your web-published sites use an "all requests" destination in the rule Trying to deny those requests in the face of one (or both) of the above conditions is fruitless. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Greg Foulks" <greg.foulks@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, March 13, 2002 8:57 AM Subject: [isalist] Explicit Deny does not work, why? http://www.ISAserver.org I've created a series of deny paths (incoming and outgoing) to block any code red attempts from coming into and out of our ISA server. Please see the attached files 1) Snap shot of the ISA server Destination Set and Content Rules. http://www.nfti.com/screen_shot.htm 2) Below A snap shot of our logs showing the requests are still being passed. Can anyone help to explain why the requests are still being allowed through? Thanks, Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 Server (500 Series) Errors Detail Error Code, Timestamp and URL Occurrences % of 5xx Errors 50003/10/2002 05:09:53/scripts/..\../winnt/system32/cmd.exe?/c+dir 1 10.00% 50003/10/2002 05:09:54/scripts/..\../winnt/system32/cmd.exe?/c+dir 3 30.00% 50003/10/2002 05:09:54/scripts/../../winnt/system32/cmd.exe?/c+dir 1 10.00% 50003/10/2002 09:50:31/scripts/..\../winnt/system32/cmd.exe?/c+dir 1 10.00% 50003/10/2002 09:50:34/scripts/../../winnt/system32/cmd.exe?/c+dir 1 10.00% 50003/10/2002 09:50:34/scripts/..\../winnt/system32/cmd.exe?/c+dir 3 30.00% Total for Errors Above 10 100.00% Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: greg.foulks@xxxxxxxx Voice: 614.318.5036 Fax: 614.318.5005 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')