ISA Server can be used to prevent the spread of the Code Red worm and its current (as of August 24, 2001) variants (such as Code Red and Code Red II). This has not been tested against the new Code Red.d variant. Here is the list of best practices to prevent the current Code Red versions from spreading into your network, and also to prevent Code Red from spreading outside of your network if one of your internal machines has been compromised. The scenario for blocking inbound has been tested. The scenario for blocking outbound has not been tested. These procedures however, cannot guarantee you against future variants of Code Red. To make sure your systems are not vulnerable, please update your IIS servers with the patch at the following location: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp Disclaimer There are two scenarios that are discussed here: The first scenario is to prevent Code Red from entering your network. GET http:// There are also variations where instead of NNNN, the GET request is filled with XXXX’s or OOOO’s. In another variation, the Preventing inbound Code Red attacks There are two ways that Code Red can spread into your network. This list of rules will prevent Code Red from spreading into your network.Do not include www.worm.com in any publishing rules. Preventing outbound Code Red attacks To prevent an infected machine on the internal network from infecting outside servers : Create a destination set consisting of * as the destination (for any host) with a path of /default.ida*. Summary When configured correctly, ISA Server can be used to protect your network from inbound and outbound Code Red attacks. By following the directions stated in the “Preventing inbound Code Red Attacks” section above, you can protect internal IIS servers from infection. This can buy system administrators time in order to roll out the IIS patches internally. For More Information The following lists locations you may visit for more information about the subjects mentioned in this article.Microsoft TechNet Security site |