Skip navigation

Hacking IIS 6.0

Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger Grimes will secure a Microsoft IIS 6.0 system and make it available on the Internet April 17 through June 8 so that people can try to break into it. In the July issue, Roger will write about how he secured the system and what happened during the contest. For more information about the contest, go to

I've already read messages on one security mailing list from people complaining about the challenge or poking fun at it. One person wrote that it's a ploy to gather zero-day (previously unpublished) exploits. I don't know whether anybody will collect packets during the contest or whether such packets will be examined to learn more about how people approach hacking an IIS 6.0 box. But such forensic analysis might occur. Would that be a bad thing?

There were also comments that the contest is an attempt to identify hackers and arrest them. That notion is laughable (and probably based in paranoia) given the fact that people have been invited to hack the box.

Some people also felt that such challenges don't work because of eventual Denial of Service (DoS) attacks. One person mentioned that the site is located on the same subnet as the magazine's Web farm. So if somebody decides to launch a Distributed DoS (DDoS) attack against the site, it could overwhelm the gateway and thereby render all sites behind the gateway unavailable. That's true. But the site is only an information site. It's not the actual system that will be made available for hacking. Sometime in the next week, further information will become available at the site, so check back to learn more details, including the address of the system to hack.

People also pointed out that the challenge can't really prove that the site is secure. If no one manages to break into the site, it might just be because somebody who might know how to break in doesn't take part in the challenge. That's rational; we should probably assume that somebody somewhere knows how to break any particular piece of software. It's a widely held opinion that no system is completely secure.

We could enjoy the challenge for exactly what it is--a challenge--without trying to read all sorts of motives into it. Many people attend various hacker conferences at which such challenges are relatively common. The main difference here is that this challenge is open to the public. It's a way to test your skills and have some fun trying to find a way to breach security. That's it.

Speaking of contests, the Windows IT Pro annual Readers' Choice contest is underway. Vote for your favorite IT products and reward companies that provide excellent products and services. The September 2005 issue of Windows IT Pro will feature the winners. To vote, go to

And, finally, if you use the Windows IT Pro Web site, you might be happy to have a chance to tell us how to improve it. Give us your opinion in the usability survey at

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.