IIS locking and URLscan configuration in the Exchange environment (1)

Symptom
Note: This article discusses Exchange 1.0 and Exchange Server 2000 issues when you apply the IIS lock tool Version 5.5. Microsoft recommends that you download the latest versionIIS lock tool:
Http://www.microsoft.com/downloads/release.asp? ReleaseID = 43955
For other information, click the following article number to view the article in the Microsoft Knowledge Base:
309677 XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment
You must configure Internet Information Service (IIS) security tools, IISlockD, and URLscan for Exchange. This article describes the configurations required for these tools in the Exchange 2000 Server and Exchange Server 5.5 environments. Typical symptoms of incorrect IISlockD and URLscan configurations include: • Microsoft Outlook Web Access (OWA ). When you access OWA, your email items, calendar items, and contacts may be missing. In addition, if you try to access OWA from a browser on the Exchange 2000 Server, you may receive the following error message:
A Runtime Error has occurred.
Do you wish to Debug?
Line: 878
Error: The handle is in the wrong state for the requested operation
• Exchange System Manager. When you try to expand the public folder tree in Exchange System Manager, you may receive the following error message:
The object is no longer available. Press F5 to refresh the display, and then try again.
ID no: 80040e19
Exchange System Manager
• Exchange System Manager. When you try to expand the public folder tree in Exchange System Manager, you may receive the following error message:
The operation failed due an internal server error. c1030af2
• Exchange Instant messaging. When you try to log on to the Exchange instant message, you may receive the following error message:
Signing in to Microsoft Exchange Instant Messaging failed because the service is temporarily unavailable. Please try again later.

Cause
This problem occurs because the default configurations of IISlockD and URLScan security tools are assumed that the server only supports static content. The Exchange 2000 component uses Web Distributed creation and Version Control (WebDAV) and other Hypertext Transfer Protocol (HTTP) predicates, which are not allowed by default. The Exchange Server 5.5 component uses Active Server Pages (ASP), which are disabled by default.
Solution
Before applying these settings to your server, check these settings carefully. These settings are designed to make Exchange 2000 Server and Exchange Server 5.5 work in the optimal state, but other unexpected results may occur. For example, the following URLscan INI settings affect IIS. If you read the "DenyExtensions" section of the INI settings below, you can see that these settings Prevent IIS from supporting most formats except static. HTM or. HTML pages.

This section includes the following parts: • IIS locking on the Exchange 2000 Server
• IIS locking on the Exchange Server 5.5 computer
• URLscan • OWA on the Exchange 2000 Server
• Exchange System Manager used to manage public folders
• Instant messaging
• Web Folders
• Custom WebDAV Program

• URLscan on the Exchange Server 5.5 computer

IIS lock on the Exchange 2000 Server
In an Exchange 2000 environment, the locking tool does not apply to a drive typically with an Exchange installable File System (IFS) installed on the drive M ). Use the lock tool on the Exchange 2000 SERVER: 1. Run IISlockD.exe.
2. Click Advanced lock, and then click Next.
3. The delete script ing dialog box is displayed. a. If the "Disable Active Server Pages (. asp) support" check box is selected, the OWA multimedia button does not work. The following Microsoft Knowledge Base Article describes how to disable multimedia buttons for customers who do not have a unified message solution:
288119 XWEB: How to Disable the Multimedia Button in OWA
When the Active Server Pages (ASP) page is disabled, unified messaging still works for WAV file attachments.
B. If the "Disable. HTR script (. htr) support" check box is selected, the "OWA Change Password" function does not work. This OWA function is disabled by default. The following Knowledge Base Article describes how to hide the Change Password button in OWA:
297121 XWEB: How to Hide the Change Password Button on the Outlook Web Access Options Page

4. click Next.
5. The other lock operation dialog box is displayed. a. Click to clear the "Disable distributed creation and Version Control (WebDAV)" check box.
B. Click to clear the "set file permissions to prevent anonymous IIS users from writing content to directories" check box. This does not include the IIS virtual directory mapped to the Exchange IFS.

6. Click next and then click to complete the lock process.
To manually set file permissions for IIS Anonymous Users, set explicit "deny all access control items (ACE)" for anonymous Web users in each IIS virtual directory: 1. start Internet Service Manager Microsoft Management Console (MMC ).
2. Click to expand the default Web site.
3. For each virtual directory, perform the following operations: a. Click to select a virtual directory, right-click the virtual directory, and then click Properties.
B. Write down the local path on the virtual directory tab.
C. Start Microsoft Windows Resource Manager and find the local path folder.
D. Right-click the folder and click Properties.
E. Click the Security tab.
F. Click Add.
G. Click to select _ Web anonymous users and _ Web application accounts, and then click OK.
H. Click to select _ Web anonymous user account, and then reject "full control of ACE ".
I. Click to select _ Web application account, and then reject "full control ACE ".

4. Repeat Step 3 for each virtual directory, except for the Exchange and Exadmin virtual root directories.

IIS lock on the Exchange Server 5.5 computer
Use the lock tool on the Exchange Server 5.5 COMPUTER: 1. Start IISlockD.exe.
2. Click Advanced lock, and then click Next.
3. The delete script ing dialog box is displayed. a. Click to clear the "Disable Active Server Pages (. asp) support" check box.
B. If the "Disable. HTR script (. htr) support" check box is selected, the "OWA Change Password" function does not work. Click Next.

4. The other lock operation dialog box is displayed.
5. Click next, and then click to complete the lock process.
If you have run the IIS lock tool on the Exchange Server 5.5 OWA Server and have selected all options, perform the following operations to restore the function: • OWA: 1. start the Internet Service Manager.
2. Click to expand the default Web site, right-click the Exchange virtual directory, and then click Properties.
3. Click the virtual directory tab, and then click Configure.
4. Click. ASP ing, and then click Edit. The IIS lock tool updates the ing to 404.dll. Change the asp ing to asp. dll. On a computer based on Microsoft Windows NT 4.0, add "PUT, DELETE" to the method exclusion box. On a computer based on Microsoft Windows 2000, make sure that the limit is selected as a check box, and the limit is that the box contains "GET, HEAD, POST, TRACE ".
5. Click OK to close the property.

• Change Password: 1. Recreate the deleted Iisadmpwd virtual directory. For more information about how to recreate the Iisadmpwd virtual directory, click the following article number to view the article in the Microsoft Knowledge Base:
301428 Troubleshooting Outlook Web Access from an IIS Perspective
2. By default, the ing of the ". htr" file will also be deleted. Restore the ing of the ". htr" file: a. Start the Internet Service Manager.
B. Right-click the default Web site and click Properties.
C. Click the Home Directory tab and click Configure.
D. Click. htr ing, and then click Edit. The IIS lock tool updates the ing to 404.dll. Change the ism ing to ism. dll.
E. Click OK to close the attribute.

URLscan on the Exchange 2000 Server
This section contains the URLscan configuration file for the following components: • OWA
• Exchange System Manager
• Instant messaging
• Web Folders
Note that after the DenyUrlSequences section is added to the URLScan. ini file, if the subject contains these special characters, you may not be able to open this type of mail through Outlook Web Access (OWA. The Administrator should check the URLscan log file in the % windir % \ system32 \ inetsrv \ urslscan folder to obtain information that can help solve these problems.

If multiple services are installed on one server, you may need to merge the configuration file to ensure that all components can continue to work.

Open the Urlscan. ini file in the following locations:
Windir \ System32 \ Inetsrv \ Urlscan
Modify the Urlscan. ini file based on the Exchange computer role.

If you encounter other difficulties when using URLScan, check the Urlscan. log File to view the list of rejected requests. The default location of the Urlscan. log file is:
Windir \ System32 \ Inetsrv \ Urlscan

OWA
The URLscan configuration file of OWA is as follows. If you need the "Change Password" function, you must delete the ". htr" file extension from the "Deny Extensions" Drop extension) section ):
[Options]
UseAllowVerbs = 1
UseAllowExtensions = 0
NormalizeUrlBeforeScan = 1
VerifyNormalization = 1
AllowHighBitCharacters = 1
AllowDotInPath = 1
RemoveServerHeader = 0
EnableLogging = 1
PerProcessLogging = 0
AllowLateScanning = 0

[AllowVerbs]
GET
POST
SEARCH
POLL
PROPFIND
BMOVE
BCOPY
SUBSCRIBE
MOVE
PROPPATCH
BPROPPATCH
DELETE
BDELETE
MKCOL

[DenyVerbs]

[DenyHeaders]
If:
Lock-Token:

[DenyExtensions]
. Asp
. Cer
. Cdx
. Asa
. Exe
. Bat
. Cmd
. Com
. Htw
. Ida
. Idq
. Htr
. Idc
. Shtm
. Shtml
. Stm
. Printer
. Ini
. Log
. Pol
. Dat

[DenyUrlSequences]
..
./
\
%
&