Hi, I have Windows Server 2003 Sp2 R2 x64, installed IIS 6, for running client access role (Exchange 2007 Sp1). This web service is public to internet (Web mail). Recently, I have found that the hacker had been uploaded lots of hack tools to my server using user NT AUTHORITY\SYSTEM (Path C:\windows\system32\inetsrv\). As the guide before, I tried to secure my server. However, when i downloaded and installed Software Restriction Policies in Windows Server 2003, I so confused how to restrict the application that "hacker" use as the tool they had uploaded. So it seems that Software Restriction Policies can't work well. Furthermore, I could not trace the source (IP) that the hacker uploaded tools to the folder "C:\windows\system32\inetsrv" even though we had syslog server using Splunk that monitor our Server. Please tell me how to fix problems. Thank you very much.

Use ISA 2006 or ForeFront Threat Management Gateway (TMG) as a reverse proxy in front of Exchange servers (thus your Exchange server(s) aren't accessible directly from the Internet). This is the de facto standard. It will help guard against these types of attacks. You still want to lock down your servers that sit behind ISA/TMG too. Also, have a look at the following URLs. IIS 6 Security Best Practices: http://technet.microsoft.com/en-us/library/cc782762(v=ws.10).aspx Here is a dated but still relevant article on the SANS site about securing IIS 6 from the O/S layer and up: http://www.sans.org/reading_room/whitepapers/windows/securing-iis6-os_1238 Hope that helps! Brian

Hi, For Software Restriction Policies, I'd like to suggest to use Hash Rule: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies Create new software restriction policies, right click Additional Rules, Create Hash Rule, Click the Browse, Navigate to the Executable/Program you want to stop users using, Click OK, Set the Security Level to Disallowed For something reference: Restricting Software Access and Protecting Computers http://technet.microsoft.com/en-us/library/cc784363(WS.10).aspx In addition, I'd like to suggest to audit the folder to monitor: How to audit user access of files, folders, and printers in Windows XP http://support.microsoft.com/kb/310399 If the issue persist, please provide related event log for our further analysis. Hope this helps! Best Regards Elytis Cheng Elytis Cheng TechNet Community Support

Use ISA 2006 or ForeFront Threat Management Gateway (TMG) as a reverse proxy in front of Exchange servers (thus your Exchange server(s) aren't accessible directly from the Internet). This is the de facto standard. It will help guard against these types of attacks. You still want to lock down your servers that sit behind ISA/TMG too. Also, have a look at the following URLs. IIS 6 Security Best Practices: http://technet.microsoft.com/en-us/library/cc782762(v=ws.10).aspx Here is a dated but still relevant article on the SANS site about securing IIS 6 from the O/S layer and up: http://www.sans.org/reading_room/whitepapers/windows/securing-iis6-os_1238 Hope that helps! Brian

Thanks for you help. I will try and inform you the result soon. Brs;