> 1. What type of vulnerabilities were they looking for? Doesn't look like a "they"...looks like a Nimda scan.
> 2. Does the fact the it says <Rejected by urlscan > imply that URLScan from M$ is loaded. No, it means it's running. > I didn't do this myself...thats why I'm curious. I'd suggest that you get detailed documentation on the configuration. Find out which script mappings are enabled/disabled, what patches are installed, etc. > 3. What is the best course of action in regards to the individual attempting these activities? Ignore it. The scan you posted was denied, and therefore unsuccessful. It's from RR...getting anything but a form email response from them is a full-time job in-and-of itself. > 4. I did run the IIS Lockdown wizard. Is that sufficient for most types of attacks? What other tools should I consider running? Security isn't so much about tools as it is about processes and methodologies. Keep an eye on your logs. Keep up on patches. Make sure that your system in configured to least privilege...keep unnecessary services and script mappings from running. Restrict access to your infrastructure via f/w and router ACLs. __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
