Welcome to the HackIIS6.com Contest!

Beginning May 2nd and running until June 8th, this server (located at ) will welcome hackers to attack it. If you are the first person to deface the Web site or capture the "hidden" document, you win an X-box! Read the contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site.

For the most part, almost anything reasonable constitutes a successful attack except for a massive network denial of service (DoS) attack against the Internet Information Services (IIS) 6.0 box or its host provider. We want to test the security of Windows Server 2003, IIS, and other Microsoft applications. So, please, respect this rule of the contest so everyone can have a chance at claiming the prize.

Contest Summary
We are starting the contest with the very basic, static HTML Web site that you are now reading. Later, we'll add an ASP.NET Web site and a back-end SQL Server. We're starting with the basic site to test whether Microsoft's IIS 6.0 on Windows Server 2003 is secure by itself. This is to satisfy the purists who think hacking ASP.NET is hacking an application and not the server. So, if you've got skills in one area versus the other, you'll have a chance to try both attack types.

The contest ends June 8th, and we will announce the results at Microsoft's Tech.Ed conference on June 9th.

The Setup
This server is running Windows Server 2003, Service Pack1, with all current publicly released patches and hotfixes installed (we ran Windows Update and MBSA just like you would do). We installed IIS 6.0, and then we followed Microsoft's basic recommendations (https://www.microsoft.com/technet/security/prodtech/IIS.mspx). I added a few tweaks here and there to put my personal mark on the site, but nothing extraordinary.

We want this contest to test Microsoft software, and so the only third-party software we used is the host's router/firewall, which would be normal in most environments.

Why a Hacking Contest?
To have fun! We know there will be critics who say sponsoring a hacking contest proves nothing. If the IIS server remains unbroken, it still doesn't mean that IIS is really "secure." True, and if I weren't the contest's team leader, I'd probably be the first one to say so. Hacking contests rarely prove something is secure, although it only takes a single successful hack to prove something is not secure.

So why do it? There are very few places on the Internet where hackers, good and bad, can hack legally. Windows IT Pro thought the contest would be a fun way to interact with the hacker community (they realize most hackers have good intentions) and provide a practical way for readers of Windows IT Pro to learn about security (of course, the magazine will disavow all responsibility and blame me solely if the server gets hacked) <grin>.

So, welcome to the contest! Hack away. If the IIS server goes unhacked during the extended time period, it might not mean that IIS is "unhackable", but if the site does survive the contest it might convince a few people that you can implement a relatively secure Web server platform with IIS if you follow best practices and take reasonable precautions. After all, over 20 percent of the Internet relies on IIS, including some of the largest Web sites in the world.

Questions and Prizes
If you have questions, send an email to [email protected]. If you want to claim a prize, send your email, with the details listed in the official rules to [email protected].

Roger A. Grimes Happy Hacking,

Roger A. Grimes
Contributing editor, Windows IT Pro Magazine