Configuring a honeypot in IIS is a simple task that you can do to reduce attacks on your IIS webservers. Now this is not exactly a honeypot, a honeypot is a host with known vulnerabilities deliberately exposed to a public network, but more of a redirector of traffic. Using HTTP Host Headers, it is possible to divert hacker traffic to a non-existent site.
Hackers will use port scanners to find IP addresses with TCP 80 open and when they have a list compiled run a series of hack attempts against these IP addresses. Your end users on the other hand use DNS names to access your website, so this won't affect them in anyway. By enabling host headers on the website(s) and redirecting IP attempts we can track where the attacks are coming from yet maintain availability for end users. Let us begin setting up the honeypot.
First thing we need to do is create an empty directory on the webserver. The name and location is irrelevant, for this example I created a directory called Honeypot under C:\Inetpud\wwwroot. Launch the IIS Manager MMC and assign a host header to all your websites so that each virtual server is assigned a host header along with an IP address.
Ensure that no virtual servers are mapped with a IP address on TCP 80 without a host header, and make sure none of them have "All Unassigned" IP addressing. Ensure your host headers are set up correctly and you can still access all your websites.
Create a new website that points to the previously created directory. The honeypot website should have the All Unassinged IP address specified and NO host header configured. The site name is irrelevant but for simplicity I called it Honeypot. Go into the properties of the new website, select the Directory Security tab and check Integrated Windows Authentication. Uncheck the other authentication methods and click OK.
Select the Web Site tab and click on Advanced. Click Add under the heading Advanced Multiple Web Site Configuration and add all the IP addresses. If you get an error about conflicting IP addresses, it means you do not have a host header set up for that web site. Either remove the IP address from the list, or configure a host header for that web site.
Save all your changes and exit out of the IIS Manager MMC.
Now when a user tries to access the web site via IP address they should be sent to the empty directory and get a 403 error. Users accessing the website with the DNS name will access the web site content thanks to the host header.
Is it 100% foolproof, no, the hacker can still attempt to gain access via the domain name, but the majority of attacks are sent to IP addresses. As a benefit, using host headers can improve webserver performance because the WWW service does not have to allocate any non-page pool memory for web sites using a unique IP address.
One more thing, non HTTP 1.1 compliant web browsers will get redirected to the empty directory as they do not accept host headers.