How ISA Server Can Be Configured to Stop the Code Red Worm

ISA Server can be used to prevent the spread of the Code Red worm and its current (as of August 24, 2001) variants (such as Code Red and Code Red II). This has not been tested against the new Code Red.d variant.

Here is the list of best practices to prevent the current Code Red versions from spreading into your network, and also to prevent Code Red from spreading outside of your network if one of your internal machines has been compromised. The scenario for blocking inbound has been tested. The scenario for blocking outbound has not been tested. These procedures however, cannot guarantee you against future variants of Code Red. To make sure your systems are not vulnerable, please update your IIS servers with the patch at the following location:

There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user’s own risk.

There are two scenarios that are discussed here:

The first scenario is to prevent Code Red from entering your network.
The second scenario is to prevent Code Red from spreading outside of your network if you have already been infected.
A Code Red request may look like this:

b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

There are also variations where instead of NNNN, the GET request is filled with XXXX’s or OOOO’s. In another variation, the of the request contains

Preventing inbound Code Red attacks

There are two ways that Code Red can spread into your network. This list of rules will prevent Code Red from spreading into your network.

Do not include in any publishing rules.
Your destination sets used in your publishing rules should contain the DNS name, and not the actual IP. An example is to list “” in the definition, and not something like (where x is a digit of an IP address).
Do not server publish port 80 (this will allow Code Red to infect any unprotected machines)
When doing web publishing always use a defined destination set as explained above, and never use the “All destinations” options in the “Applies to” section.

Preventing outbound Code Red attacks

To prevent an infected machine on the internal network from infecting outside servers :

Create a destination set consisting of * as the destination (for any host) with a path of /default.ida*.
Create an explicit deny content rule using that destination set.
Make sure that there is not a rule for allow ‘all destinations’, and ‘any user’.
Use a rule that uses authenticated users, or uses internal IP client sets to determine if access should be granted.


When configured correctly, ISA Server can be used to protect your network from inbound and outbound Code Red attacks.

By following the directions stated in the “Preventing inbound Code Red Attacks” section above, you can protect internal IIS servers from infection. This can buy system administrators time in order to roll out the IIS patches internally.
By following the directions stated in the “Preventing Outbound Code Red Attacks” section above, you can prevent infected IIS Servers from infecting servers outside of your network. This lessens the possibility of legal action against your company for “attacking” another network.

For More Information

The following lists locations you may visit for more information about the subjects mentioned in this article.

Microsoft TechNet Security site
Tool available for Code Red II worm
Microsoft ISA Server technology center on Microsoft TechNet
Security How-To articles

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top