Those are good links,
Thanks

Chris

>>Reviewing my IIS log files I have noticed that most hacking takes place using the "HEAD" method as opposed to "GET" or "POST".
>>
>>I don’t think I have used the HEAD action for anything. (I don’t even know what it is) Does anyone know if IIS can be setup to completely reject requests that are not a GET or POST action?
>>
>>Thanks,
>
>The HEAD method/action is identical to the GET method/action, except that the server returns only the header information & not the content of the resource. A typical legal use would be to determine if the remote resource matches the locally cached copy.
>
>I have no specific information regarding stopping IIS responding to the HEAD request, though I have seen reference that it may be possible through the "Microsoft Management Console". The following knowledge base articles may be of some use : Q284930 & Q309508. See also http://www.shebeen.com/iis4_nt4sec.htm It should be noted that to comply with HTTP 1.1, a server must support at least the GET and HEAD methods.
>
>The following references may be of use :
>http://home.earthlink.net/~alxdark/software/wcd-guide/paged/ch01s02.html
>http://www.groovyweb.uklinux.net/index.php?page_name=http,%20post,%20get%20and%20head%20commands
>http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html