How to configure the URLScan Tool

This section describes how to configure the URLScan Tool step by step to prevent Web servers from being attacked and used.

Install URLScan to install URLScan, visit the following Microsoft Developer Network (MSDN) Website: http://msdn2.microsoft.com/en-us/library/aa302368.aspx (http://msdn2.microsoft.com/en-us/library/aa302368.aspx) for additional information, click the following article number, to view the article in Microsoft Knowledge Base: 307608 (http://support.microsoft.com/kb/307608/) Modifying URLScan for IIS using URLScan. all configurations of the ini file URLScan use URLScan. ini file, which is located in the % WINDIR % \ System32 \ Inetsrv \ URLscan folder. To configure URLScan, open the file in a text editor (such as NotePad), make changes, and save the file.

Note:: To make the change take effect, you must restart Internet Information Service (IIS ). A quick implementation method is to runIISRESET.

The URLScan. ini file contains the following sections:

• [Options]: This section describes the general URLScan options.
• [AllowVerbs] and [DenyVerbs]: This section defines the predicates allowed by URLScan (also known as the HTTP method ).
• [DenyHeaders]: This section lists HTTP headers that are not allowed in HTTP requests. If an HTTP request contains one of the HTTP headers listed in this section, URLScan rejects the request.
• [AllowExtensions] and [DenyExtensions]: This section defines the file extensions allowed by URLScan.
• [DenyURLSequences]: This section lists strings not allowed in HTTP requests. URLScan rejects HTTP requests that contain strings that appear in this section.

This article describes each section in more detail.

In the [Options] section [Options]You can configure many URLScan options. Each row in this section has the following format: OptionName= OptionValueAvailable options and their default values are as follows:

• UseAllowVerbs = 1
  
  By default, this option is set to 1. If you set this option to 1, URLScan only allows[AllowVerbs]The HTTP request for the predicates listed in section. URLScan prohibits any requests that do not use these predicates. If this option is set to 0, URLScan ignores[AllowVerbs]On the contrary, only those[DenyVerbs]The request for the predicates listed in section.
• UseAllowExtensions = 0
  
  By default, this option is set to 0. If you set this option to 0, URLScan disables[DenyExtensions]Requests for file extensions listed in section, but requests for any other file extensions are allowed. If you set this option to 1, URLScan only allows[AllowExtensions]This section disallows requests to any other files.
• NormalizeUrlBeforeScan = 1
  
  IIS receives a URL-encoded request. This indicates that some characters may be replaced with a percent sign (%) followed by a specific number. For example, % 20 corresponds to a space. Therefore, requests for http: // myserver/My % 20Dir/my1_20file.htm and requests for http: // myserver/My Dir/My File.htm requests are the same. Standardization is the process of decoding URL encoding requests. By default, this option is set to 1. IfNormalizeUrlBeforeScanIf this parameter is set to 1, URLScan analyzes decoded requests. If this option is set to 0, URLScan analyzes undecoded requests. Setting this option to 0 affects URLScan's ability to disable certain attacks.
• VerifyNormalization = 1
  
  Because percent signs (%) can be URL encoded, attackers can submit a specially crafted, basically dual-encoding request to the server. In this case, IIS may accept requests that are supposed to be rejected as invalid. By default, this option is set to 1. IfVerifyNormalizationIf this parameter is set to 1, URLScan standardizes the URL twice. If the URL after the first standardization is different from the URL after the second standardization, URLScan rejects the request. This prevents attacks that depend on double encoding requests.
• AllowHighBitCharacters = 0
  
  By default, this option is set to 0. If this option is set to 0, URLScan rejects any requests that contain non-ASCII characters. This can prevent some types of attacks, but may also prohibit requests to some legal files, such as files with non-English names.
• AllowDotInPath = 0
  
  By default, this option is set to 0. If this option is set to 0, URLScan rejects all requests that contain multiple periods. This prevents attempts to disguise dangerous file extensions in requests by placing secure file extensions in the URL path information or querying the string. For example, if you set this option to 1, URLScan may allow requests to http: // servername/BadFile.exe/SafeFile.htm because it considers this request to be an HTML page, however, this is actually a request for the executable (.exe) file, and the file name is displayed as the HTML page name in the PATH_INFO area. If you set this option to 0, URLScan may also reject requests for directories containing periods.
• RemoveServerHeader = 0
  
  By default, the Web server returns a header indicating the Web server software that the Web server runs in all responses. This increases the possibility of attacks on the server, because attackers can determine that the server is running IIS, so they can attack known IIS problems, instead of attempting to use attack methods designed for other Web servers to attack IIS servers. By default, this option is set to 0. IfRemoveServerHeaderOption is set to 1 to prevent your server from sending the header that identifies it as the IIS server. IfRemoveServerHeaderIf it is set to 0, this header is still sent.
• AlternateServerName = (not specified by default)
  
  IfRemoveServerHeaderSet to 0.AlternateServerNameSpecifies a string to specify the content that will be returned in the server header. IfRemoveServerHeaderIf this parameter is set to 1, this option is ignored.
• EnableLogging = 1
  
  By default, URLScan retains the complete logs of all prohibited requests in % WINDIR % \ System32 \ Inetsrv \ URLScan. If you do not want to retain this log, you canEnableLoggingSet to 0.
• PerProcessLogging = 0
  
  By default, this option is set to 0. If this option is set to 1, URLScan creates a separate log for each process that hosts URLScan. dll. If this option is set to 0, all processes are recorded in the same file.
• PerDayLogging = 1
  
  By default, this option is set to 1. If this value is set to 1, URLScan creates a new log file every day. The name of each log file is Urlscan.MMDDYY. Log, whereMMDDYYIs the date of the log file. If this value is set to 0, all log records are saved in the same file, regardless of the date.
• AllowLateScanning = 0
  
  By default, this option is set to 0. If this option is set to 0, URLScan runs as a high-priority filter, which means it is executed prior to all other Internet server application programming interfaces (ISAPI) filters installed on the server. If this option is set to 1, URLScan runs as a low-priority filter so that other filters can modify the URL before URLScan performs any analysis. FrontPage Server Extensions (FPSE) requires that this option be set to 1.
• RejectResponseUrl = (not specified by default)
  
  This option specifies the virtual path of the file that runs when URLScan disables the request. This allows you to customize the response sent to the client for forbidden requests. You must setRejectResponseUrlSpecifies the virtual Path of the corresponding file, such as/Path/To/RejectResponseHandler. asp. You can specify files normally prohibited by URLScan, such as the Active Server Pages (ASP) page. You can also specify the following server variables from this page:
  • HTTP_URLSCAN_STATUS_HEADER: This variable specifies the reason the request is forbidden.
  • HTTP_URLSCAN_ORIGINAL_VERB: This variable specifies the original predicates (such as GET, POST, HEAD, or DEBUG) in the forbidden request ).
  • HTTP_URLSCAN_ORIGINAL_URL: This variable specifies the original URL in the forbidden request.
  IfRejectResponseUrlSet as special value/~ *URLScan uses the log-only mode. This allows IIS to provide services for all requests, but it will add corresponding items for all normally prohibited requests in the URLScan log. This is useful when you need to test the URLScan. ini file.
  
  If noRejectResponseUrlURLScan uses the default value./<Rejected-By-UrlScan>.
  
  
• UseFastPathReject = 0
  
  By default, this option is set to 0. If this option is set to 1, URLScan ignoresRejectResponseUrlSet and immediately Return Error 404 to the browser. This processRejectResponseUrlFast, but it does not allow so many logging options. If you set this option to 0, URLScan usesRejectResponseUrlTo process requests.

[AllowVerbs] and [DenyVerbs] [AllowVerbs]Section and [DenyVerbs]Section defines the HTTP predicates (also called methods) allowed by URLScan ). Common HTTP predicates include GET, POST, HEAD, and PUT. Other applications (such as FPSE and Web Distributed creation and Version Control (WebDAV) use more predicates.

[AllowVerbs]Section and [DenyVerbs]The syntax of the section is the same. They are composed of an HTTP predicate list. Each predicate occupies one row.

URLScan [Options]Section UseAllowVerbsThe value of the option to determine which section to use. By default, this option is set to 1. If UseAllowVerbsIf set to 1, URLScan only allows [AllowVerbs]The request for the predicates listed in section. Requests that do not use any of these predicates will be rejected. In this case, [DenyVerbs]Is ignored.

If UseAllowVerbsIf it is set to 0, URLScan rejects [DenyVerbs]The request that explicitly lists the predicates. Allow any requests that use predicates that do not appear in this section. In this case, URLScan ignores [AllowVerbs]Section.

[DenyHeaders] When a client requests a page from a Web server, it usually sends HTTP headers containing other information about the request. Common HTTP headers include:

• Host:
  
  This header contains the name of the Web server.
• Accept:
  
  This header defines the types of files that can be processed by the client.
• User-Agent:
  
  This header contains the name of the browser on the request page.
• Authorization:
  
  This header defines the authentication methods supported by the client.

The client may send other headers to the server to specify other information.

In [DenyHeaders]Section, you define the HTTP header that URLScan will reject. If the request received by URLScan contains any headers listed in this section, it rejects the request. This section consists of the HTTP header list, where each header occupies one row. The header name must be followed by a colon (:) (for example Header-Name:).

[AllowExtensions] and [DenyExtensions] sections most files have a file extension that identifies the file type. For example, the file name of a Word document generally ends with. doc, HTML file name generally ends with. htm or. html, and plain text file name generally ends with. txt. [AllowExtensions]Section and [DenyExtensions]Section allows you to define the extension that URLScan will disable. For example, you can configure URLScan to reject requests to. exe files and prevent Web users from executing applications on your system.

[AllowExtensions]Section and [DenyExtensions]The syntax of the section is the same. They are composed of a list of file extensions, each of which occupies one row. The extension starts with a period (.) (for example,. ext ).

URLScan [Options]Section UseAllowExtensionsTo determine which section to use. By default, this option is set to 0. If UseAllowExtensionsIf this parameter is set to 0, URLScan rejects [DenyExtensions]The request for the file extension listed in. Any file extensions not listed in this section are allowed. [AllowExtensions]Is ignored.

If UseAllowExtensionsIf this parameter is set to 1, URLScan rejects [AllowExtensions]This section does not explicitly list any file extension requests. Only requests with file extensions listed in this section are allowed. [DenyExtensions]Is ignored.

For additional information about how to configure URLScan to allow requests for files without an extension, click the following article number to view the article in the Microsoft Knowledge Base: 312376 (http://support.microsoft.com/kb/312376) how to configure URLScan to allow requests with a null extension in IIS [DenyUrlSequences] section can configure URLScan to disable requests with URLs containing certain character sequences. For example, you can disable requests that contain two consecutive periods (..). This method is often used in attacks that exploit the directory traversal vulnerability. To specify a sequence of characters that you want to disable, place the sequence separately [DenyUrlSequences]Section.

Note that adding character sequences may negatively affect Outlook Web Access (OWA) of Microsoft Exchange. When you open an email from OWA, the subject line of the email is included in the URL requested by the server. Because URLScan. the ini file prohibits any requests that contain percent signs (%) and hyphens (&). Therefore, when you try to open an email with the subject behavior "Sales increase by 100%" or "Bob & Sue are coming to town", you will receive the 404 error message. To solve this problem, you can [DenyUrlSequences]Delete these sequences. Please note that this will reduce security because it may allow dangerous requests to reach the server.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 325965 (http://support.microsoft.com/kb/325965) URLScan may cause problems in Outlook Web Access. Configure URLScan for IIS-dependent applications Exchange, FPSE, and Microsoft Visual Studio. the normal operation of such applications depends on IIS. If URLScan is not configured correctly, these applications may stop running properly.

For additional information about how to configure URLScan for these applications, click the following article number to view the article in the Microsoft Knowledge Base: 309508 (http://support.microsoft.com/kb/309508) IIS locking and URLscan in Exchange environment configure how 309394 (http://support.microsoft.com/kb/309394/) works together with URLScan and FrontPage 2000 318290 (http://support.microsoft.com/kb/318290/) how to work with URLScan and FrontPage 2002 310588 (http://support.microsoft.com/kb/310588/) PRB: the Security Toolkit suspends Visual Studio. ASP. NET. NET debugging