>Reviewing my IIS log files I have noticed that most hacking takes place using the "HEAD" method as opposed to "GET" or "POST". > >I don’t think I have used the HEAD action for anything. (I don’t even know what it is) Does anyone know if IIS can be setup to completely reject requests that are not a GET or POST action? > >Thanks,
The HEAD method/action is identical to the GET method/action, except that the server returns only the header information & not the content of the resource. A typical legal use would be to determine if the remote resource matches the locally cached copy.
I have no specific information regarding stopping IIS responding to the HEAD request, though I have seen reference that it may be possible through the "Microsoft Management Console". The following knowledge base articles may be of some use : Q284930 & Q309508. See also http://www.shebeen.com/iis4_nt4sec.htm It should be noted that to comply with HTTP 1.1, a server must support at least the GET and HEAD methods.