Get out the treasure map. bring along a stethoscope. hunting down IIS systems, especially inadvertently installed rogues, will take a methodical, plodding approach. However, an accurate network diagram and diagnostic tools can take some of the pain out of plugging IIS security holes.
Draw a map of the organizations network that shows where IIS systems are installed. HFNetChk, from Microsoft, can scan local or remote machines and indicate which patches have and have not been applied. This tool is hard to automate, and the output is difficult to use. Inventory management tools from Tally Systems Corp. and others can make this task a lot easier and less prone to error, by automatically surveying systems for a software "fingerprint." Although they require that an agent be installed on the target system, this is a small price to pay to keep tabs on critical systems. BindView Corp. makes a variety of bv-Control tools for Windows 2000. BindView products monitor server configurations specifically for changes to security settings. IT managers can then set configuration requirements and receive reports and alerts when systems are out of compliance.
Locate Windows 2000 servers that were automatically installed with IIS enabled but were not authorized by central IT. This will be a lot trickier. IT managers who suspect renegade systems are inside the firewall should start with the simple questions: Was a disk imaging system used to create production servers? If so, did the disk image include IIS, which is part of the default installation?
Send e-mail asking departmental administrators if they know of any IIS servers operating in their area. Its probably a good idea to offer an amnesty program to encourage people to turn in their unauthorized servers. CyberCop Scanner, from Network Associates Inc., can help IT managers scan the internal network for "responsive devices," including IIS. Match legitimate IIS systems with the CyberCop Scanner report and investigate all other found devices.
Read up on security threats and preventive measures. The "Hack Attacks" series by John Chirillo (Wiley Computer Publishing) and "Viruses Revealed" by David Harley et al. (McGraw-Hill) offer in-depth expertise on how systems are compromised while imparting fundamental practices that IT managers can use to protect network resources.