Hacker News

Why stop there? Front the honeypot with a real IIS server, build a matryoshka doll of honeypots and see how far people get.

Unless you're honeypotting in the IP range of an established organization, all you're doing is getting bot traffic.

High-tier blackhats focus on big targets, and low-tier ones focus on low-hanging fruits they find off shodan or application 0days they've found.

Tell me more…I opened a plex and Nintendo switch port, the scans were out of control. I’d love to screw over port scanner over.

Noise is a really underrated security layer.

Sounds like creating an url like aspnet_client/admin.php returning a WebObjects header might be a good hobby

Tangentially, that reminds me of how a Windows update created c:\inetpub on everybody's non-server computers, to "increase protection" for unspecified reasons.

https://www.pcworld.com/article/2684062/why-is-windows-11-la...

The original research for this is at https://soroush.me/downloadable/microsoft_iis_tilde_characte...

> PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion').DisplayVersion > 24H2

I got no response to that command on my W10 box, turns out for older (eg LTSC) versions it appears to need:

  (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ReleaseId
  1809

Those traversal attempts are still very common, right next to the PHP/WordPress script kiddie attacks.

Several times, I wondered if Claude wrote it.

I do. As others have replied, Windows Server--including IIS, means you have a domain joined machine, likely with an SPN of HOST/MACHINE.DOMAIN. Windows services and IIS App Pool Identities log in with an (g)MSA or virtual accounts (NT Service*) and you get a fully working and managed Kerberos experience without having to deal with 30, 60, 90 day password rotations. Log into your MS SQL Server with Kerberos, log into some other webapp's oauth2 flow with Kerberos, etc, it all just works. You can use WinRM with your native Windows shell without having to do anything special, and even technically bypass 2FA since that's just how it really works.

Can you do all this on Linux? Yes. Will it ever be set up correctly? Depends where you work, but based on my experience so far, not likely.

Yep.

And as an ignoramus: what it is that you are supposed to be using nowadays?

Think in the context of a small company making enterprise .NET (framework) code where Windows is the world, cloud wouldn't fly with the customers, SOAP is still king and your one IT guy is too busy to notice anything happened after 2010. Suppose also that entire software rewrites are impossibly impractical, and that while you'd love to take some security gains, you just don't have the capacity to do configuration deep dives let alone to gamble on something complex like Kubernetes.

Way, WAY too many corporate IT divisions.

Some banks still use IIS.

Every large company big enough to host an intranet is running IIS somewhere, possibly everywhere. It integrates well with AD so some really complex tasks become stupid simple.

It's seeing less and less usage as the world moves to AWS which is equally stupid because you're tied to one vendor's proprietary products (Amazon) again. Except this time you don't own the hardware.

Public sector IT loves IIS. Check your municipality's tax or property website it's probably got .aspx scripts out the ass.

I've seen it hosting European web apps, public sector if I recall. Lots of bespoke .NET applications out there with SQL Server backends running entire local governments.

Asian countries especially China and Taiwan love IIS and use it to host anything and everything. This is a personal observation.

Sure the world has mostly moved on, but there's tons of legacy code out there that keeps cities and really important organizations humming that runs on IIS and it's never changing.

You think that's bad, there's still places out there running AS/400 stuff on the web, Lotus Notes, and Novell Groupwise (gasp).

Yeah, I regularly speak to folks still running IIS on Windows Server. There are a lot of old apps out there, sadly. Some really, really important ones.

Amazingly some companies like Hyland still ship software that requires IIS. Bonus add are the pages and pages of setup instructions.

IIS also sits at the back of a many "modern" cloud web type services.

Lots and lots

A lot of Microsoft devs know very little Linux historically as they used windows and are comfortable with it

Decreasing due to cloud and Nodejs takeup

A lot of big corps still use it.

https://bloomberry.com/data/windows-server/

The entire solarwinds platform(barf)

SharePoint uses it extensively

I would say 75% of my webservers are IIS.

Nothing internet facing mind.

Yes, but typically just internal corporate intraweb stuff from what I've seen.

Tons of the Navy's public websites still run on it.

The text uses target.com as a placeholder but they actually also have an IIS blue screen: https://knslsd.target.com/

Back in the early-2000s, I passed the Microsoft certification exam for IIS. I had never even heard of the product (I was told my company had some extra credits at the testing center, I was there taking another exam (Solaris 8 certification), so I figured why not?) I know, MCSE exams were notoriously simple back then, but good god - usually, for every question, 3 of the 4 possible answers didn't even make sense. Anyway, I figured there was no way IIS would last if any dipshit could become "certified" in the product.

> This is extremely well done design (at least on full desktop browsers).

I can't tell if you're being sarcastic, but on my full desktop browser the side bar overlaps the main panel, putting text on top of other text.

P.S. Other than this, I do like the presentation.

"Amazing" is a little generous for script kiddie stuff from the early 2000s.

The author has yet to learn the extent to which civilization depends on people not being cunts to one another for no good reason.