How to configure the URLScan tool
See the product that this article applies To
Article number: 326444
Last modified: March 14, 2007
Revised: 5.3
We strongly recommend that all users running Microsoft Windows Server 2003 Upgrade Microsoft Internet Information Services (IIS) to version 6.0 because IIS 6.0 significantly enhances the security of the WEB infrastructure. For more information about topics related to IIS security, visit the following Microsoft Web site:
Http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
Page
Profile
This step-by-step article describes how to configure the URLScan tool to prevent WEB servers from being attacked and exploited.
Back to the top
Install URLScan
To install URLScan, visit the following Microsoft Developer Network (MSDN) Web site:
Http://msdn2.microsoft.com/en-us/library/aa302368.aspx (http://msdn2.microsoft.com/en-us/library/aa302368.aspx)
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
307608 (http://support.microsoft.com/kb/307608/) uses URLScan for IIS
Back to the top
modifying Urlscan.ini files
All configurations for URLScan are performed through Urlscan.ini files, which are located in the%windir%\system32\inetsrv\urlscan folder. To configure URLScan, open the file in a text editor (such as Notepad), make the appropriate changes, and then save the file.
Note: For the changes to take effect, you must restart Internet Information Services (IIS). A quick way to implement this is to run IISRESET at a command prompt.
The Urlscan.ini file contains the following sections:? [Options]: This section describes the general URLScan option.
? [AllowVerbs] and [DenyVerbs]: This section defines the predicate (also known as the HTTP method) that URLScan allows.
? [DenyHeaders]: This section lists HTTP headers that are not allowed in HTTP requests. If an HTTP request contains one of the HTTP headers listed in this section, URLScan rejects the request.
? [AllowExtensions] and [DenyExtensions]: This section defines the file name extensions allowed URLScan.
? [DenyUrlSequences]: This section lists the strings that are not allowed in the HTTP request. URLScan rejects HTTP requests that contain strings that appear in this section.
This article describes each section in more detail.
[Options] section
In the Options section, you can configure many URLScan options. Each row in this section has the following format:
Optionname=optionvalue
The available options and their default values are as follows:? Useallowverbs=1
By default, this option is set to 1. If you set this option to 1, URLScan only allows HTTP requests that use the verbs listed in the [AllowVerbs] section. URLScan prohibits any requests that do not use these predicates. If you set this option to 0, URLScan ignores the [AllowVerbs] section, instead of only those requests that use the verbs listed in the [DenyVerbs] section.
? Useallowextensions=0
By default, this option is set to 0. If you set this option to 0, URLScan prohibits requests for file extensions that are listed in the [DenyExtensions] section, but allows requests for any other file name extensions. If you set this option to 1, URLScan only allows requests for files with extensions that are listed in the [AllowExtensions] section, but not for any other files.
? Normalizeurlbeforescan=1
IIS received a URL-encoded request. This means that some characters may be replaced with a percent semicolon (%) followed by a specific number. For example,%20 corresponds to a space, so the request to http://myserver/My%20Dir/My%20File.htm is the same as the request to the Http://myserver/My dir/my file.htm. Standardization is the process of decoding URL encoding requests. By default, this option is set to 1. If the NormalizeUrlBeforeScan option is set to 1, the decoded request is parsed URLScan. If this option is set to 0, URLScan parsing of the request is not decoded. Setting this option to 0 affects the ability of URLScan to prohibit some kind of attack.
? Verifynormalization=1
Due to percent semicolon (%) itself can be URL-coded, so an attacker can submit a crafted, essentially dual-coded request to the server. If this occurs, IIS may accept a request that would have been rejected as invalid. By default, this option is set to 1. If the VerifyNormalization option is set to 1, URLScan will be normalized two times for the URL. If the URL after the first normalization is different from the second normalized URL, URLScan will reject the request. This protects against attacks that rely on dual-coded requests.
? Allowhighbitcharacters=0
By default, this option is set to 0. If you set this option to 0, URLScan rejects any requests that contain non-ASCII characters. This can prevent certain types of attacks, but may also prohibit requests for certain legitimate files, such as files with non-English names.
? Allowdotinpath=0
By default, this option is set to 0. If you set this option to 0, URLScan rejects all requests that contain multiple periods (.). This prevents attempts to disguise the dangerous file name extension in the request by placing the secure file name extension in the path information or the query string portion of the URL. For example, if you set this option to 1, URLScan may allow requests to http://servername/BadFile.exe/SafeFile.htm because it considers this to be a request to an HTML page, but it is actually a pair of executable (. exe) File, and the name of the file is displayed as the name of the HTML page in the Path_info area. If you set this option to 0,urlscan, you may also deny requests for directories that contain periods.
? Removeserverheader=0
By default, the Web server returns a header that indicates the Web server software that the Web server runs in all responses. This increases the likelihood of a server being attacked because an attacker can determine that the server is running IIS, and then attacks a known IIS problem rather than attempting to attack an IIS server with an attack designed for another WEB server. By default, this option is set to 0. If you set the RemoveServerHeader option to 1, you can prevent your server from sending headers that identify it as an IIS server. If the RemoveServerHeader is set to 0, this header is still sent.
? Alternateservername= (not specified by default)
If you set the RemoveServerHeader to 0, you can specify a string in the AlternateServerName option to specify what will be returned in the server header. If you set the RemoveServerHeader to 1, this option is ignored.
? Enablelogging=1
By default, URLScan retains the full log of all blocked requests in%windir%\system32\inetsrv\urlscan. If you do not want to keep this log, you can set EnableLogging to 0.
? Perprocesslogging=0
By default, this option is set to 0. Setting this option to 1,urlscan will create a separate log for each process that hosts URLScan.dll. If you set this option to 0, all processes will be logged to the same file.
? Perdaylogging=1
By default, this option is set to 1. If this value is set to 1, URLScan creates a new log file every day. The name of each log file is Urlscan.MMDDYY.log, where mmddyy is the date of the log file. If this value is set to 0, all logging is saved in the same file, regardless of date.
? Allowlatescanning=0
Current 1/2 page
12 Next read the full text
