Hi, I have Windows Server 2003 Sp2 R2 x64, installed IIS 6, for running client access role (Exchange 2007 Sp1). This web service is public to internet (Web mail). Recently, I have found that the hacker had been uploaded lots of hack tools to my server using user NT AUTHORITY\SYSTEM (Path C:\windows\system32\inetsrv\). As the guide before, I tried to secure my server. However, when i downloaded and installed Software Restriction Policies in Windows Server 2003, I so confused how to restrict the application that "hacker" use as the tool they had uploaded. So it seems that Software Restriction Policies can't work well. Furthermore, I could not trace the source (IP) that the hacker uploaded tools to the folder "C:\windows\system32\inetsrv" even though we had syslog server using Splunk that monitor our Server. Please tell me how to fix problems. Thank you very much.

Thanks for you help. I will try and inform you the result soon. Brs;