Mitigation at the IIS server looks pretty straightforward. URLScan in default configuration prevents access to ADS files, generating the following log line: Client at 10.1.1.100: URL contains sequence ':', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/myremoteserver/help.gif:secret' So you should see accesses in the IIS logs if you don't run URLScan, and failed attempts in the URLScan logs if you do run it.
