I recently received from a customer the following question:

Hi Chris,

I am trying to debug a problem I had this morning with IIS 6.0

Basically it was dynamically adding an IP address to the list of blocked IP addresses.

This IP address was actually our proxy server and of course we were getting a lot of HTTP Error 403 403.6 Forbidden: IP address rejected errors

Any ideas why this would happen?

The network Administrator reckon it was a problem with IIS 6.0 but I have my doubts as the problem disappeared once he rebooted the proxy server?

Many thanks for your help

I found this to be an interesting question and one that seems lead to a couple quick thoughts on my part -

   a).  Why is something modifying the metabase on this customer’s system without them knowing it?

   b).  Metabase auditing…ah, such a friend.  Are you running Service Pack 1?

In either event, I responded with some ideas but nothing concrete because there just was too many possibilities.  After receiving a prompt reply from the customer that included the root cause, I was shocked.

If you are new to the Microsoft Operations Manager (MOM) 2005 suite then you might be interested to know that they do in fact take some administrative tasks out of your hands.  I was always aware that MOM was great at reporting thing such as statuses of sites, worker processes, etc. but never did I know that it would in fact modify the behavior of IIS.  It does so through a couple of slick moves of editing the Metabase (IIS configuration) based on criteria. 

In the end, the cause of the problem was purely related to MOM 2005 taking any incoming request that has a footprint of a possible Denial-of-Service (DoS) or security hack and places that incoming IP address in the IP Deny List in the metabase.  Hence, it is possible that administrators may very well see their value in the IP Deny list grow based on the configuration of the management pack.

If you use MOM 2005, though might not be directly managing its behavior or responsible for it, I would suggest the following reading just to familiarize yourself with what it can do -

Microsoft Windows Internet Information Services (IIS) Management Pack Guide

Details:

Depending on the features of the Management Pack that you are using, the following configuration can be performed:

·         Configure IIS logging — Enable IIS logging to gather data from IIS logs. Without IIS log data, this Management Pack collects only service discovery data.

·         Modify settings for collecting service discovery data — In addition to collecting the default service discovery data for IIS, you can configure the Management Pack to collect IIS script maps.

·         Adjust IIS log file sizes — If IIS logs exceed 2 GB per day, configure IIS logging to start new logs based on size, instead of frequency.

·         Lock out Internet attackers — Configure the Management Pack to add the IP address of Internet attackers to the IP Deny list for all Web sites on a local computer.

Shocked… Yes.  Pleasantly surprised at how well this MS product integrates with ours — You better believe it!  This, in my opinion, is cool stuff…

~Chris