What I would like to do is to create a fake version of the above file that when accessed automatically adds the referer ip address to IIS's denyed ip list.

Is it worth it?

If somebody decides to attack your server from ten thousand different PCs, you'll end up with a deny file with ten thousand entries.

What will this do to your server's performance?

Im a good enough programemr to be able to intelligently update the list and add in ranges if ip's appear in the same subnet. If the list can't cope with a decent amount of entries its not worth having there in the first place.
I just want to automate some of the more obvious attempts .

I'm a good enough programemr...

...as crackers round the world sit up and take notice; they love a challenge :-)

If the list can't cope with a decent amount of entries its not worth having there in the first place.

How do you know whether your server can cope with a very long list? I was actually suggesting that it's not worth it...

I just want to automate some of the more obvious attempts

IMHO you achieve nothing by doing this. Most of these attacks come from bots, many of these will be on dynamic ip addresses. You'll end up with a huge list of "deny" entries, and you won't improve the security of your server one iota. You'll probably see the growing list of denied ips and get a false sense of security.

If it makes you feel good, that's fine, but this kind of thing gets discussed (and rejected) often enough. Think carefully about what you want to achieve.

Rain Forest Puppy said: "Put down that honeypot and keep up to date on your patches".

He knows more about this than you or I do. Maybe he's right.

Ok, so to sum it up.

The deny list is a waste of time.
Use a honey pot.

Do you have a link to a good thread that discusses honey?

astromex-

First: Welcome to WebmasterWorld!

Second: Sorry about the total lack of help so far.

Third:
Here's my suggestion for you. Rather than worrying about where IIS stores the list, just create your own in a database or flat file, or whatever else you would like to use. Create a custom 404 page for your site, and in that page, you can create functionality that will log the IPs to your list. Then in your Global.asa/asax (depending on if you are using .NET or classic ASP), create something that checks your list to see if the visitor is a banned user, and drop them a 403 status error. There are a bunch of different ways to accomplish what I described, this is just one method.

Some things to think about:
If the banned IP is from an AOL account, you will probably end up banning a lot of people you didn't mean to, due to the way AOL hands out IPs using a proxy server. This could also happen if other users try to enter your site with an IP that someone used, and got banned.

The deny list is useful on an Intranet/Extranet where offices and users have set IP ranges.

Win2K3 is actually very secure when patched and hardened. Even hackers say its much more secure than Unix systems now with canary stack detection and hardware supoort for handling buffer overruns the options for getting in are running out for them.

Patch maangement, Security templates, IIS lockdown and Baseline Analyser take a lot of the work away. Focus yopur efforts on these, understand what services you need and disable everything else, disable FTP and SMTP as they dont encrypt passwords. Disable outbound web access othe than for updates (OS,AV,UPS etc)

Do you have a link to a good thread that discusses honey?

Not a good idea to post those kinda links.

Thanks for the help. That seems to be a better solution than messing with the registry.

FYI - If you really wanted to you could actually administer the IIS security with code, you would need to write a script to create the IIsIPSecurity object and call the IPDeny and DomainDeny methods - the latter has a massive implication on performance as it calls a reverse DNS.

somewhere deep in the bowels of the msdn site there used to be some vb com code that demonstrated how to programmatically administer iis. I used some of it in the past but that was back in the late 90s.

I'll see if I can find it for you.