URLScan Usage Details

(1) software download and Installation

URLScan can be downloaded from Microsoft's website:
. URLScan download from Microsoft
1 http://download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe (
2 URLScan filter v3.1 can be downloaded from Microsoft's website:
Http://download.microsoft.com/download/c/7/a/c7a411ed-1c0f-48c1-90e5-6d3a1ca054c1/urlscan_v31_x86.msi
The installation path is the same as that of the general software. However, the installation path cannot be selected. After the installation is complete, you can find the following files in the system32/inetsvr/URLScan directory:

URLScan. dll: dynamically connects to the library file;
URLScan. inf: installation information file;
Urlscan.txt: Software Description file;
URLScan. ini: software configuration file. This file is required only because all configurations of URLScan are completed in this file.

(2) Software Configuration

The software configuration is completed by the URLScan. ini file. before configuring this file, we need to know some basic knowledge.

1. Structure of the URLScan configuration file

The URLScan configuration file must comply with the following rules:

(1) the file name must be URLScan. ini;

(2) the configuration file must be in the same directory as URLScan. dll;

(3) the configuration file must be a standard INI file structure, which is composed of segments, strings, and values;

(4) After the configuration file is modified, you must restart IIS to make the configuration take effect;

(5) the configuration file consists of the following sections:

[Option] section, mainly set the section;
[Allowverbs] section. The configuration is determined to be set as a legal URL rule. This setting is related to the option section;
In the [denyverbs] section, the configuration is determined to be invalid URL rule settings, which are related to the option section;
In the [denyheaders] section, set the header that is deemed invalid During setup;
In the [AllowExtensions] section, the configuration is set here as a valid file extension, which is related to the option section;
In the [DenyExtensions] section, the file extension that the configuration is considered invalid is set here, which is related to the option section;

2. Specific Configuration

(1) The configuration in option section is particularly important because the setting in option section directly affects future configurations. This section mainly sets the following attributes:

Useallowverbs: Checks URL requests in the allowed mode. If this parameter is set to 1, all requests not set in [allowverbs] are rejected. If this parameter is set to 0, all URL requests that are not set in [denyverbs] are considered valid. The default value is 1;

Useallowextensions: Use the allowed mode to check the file extension. If this parameter is set to 1, all file extensions not set in [AllowExtensions] are considered invalid requests. If this parameter is set to 0, all extensions not set in [DenyExtensions] are considered valid requests. The default value is 0;

Enablelogging: whether to allow log files. If it is set to 1, all files named URLScan. Log are filtered in the same directory of URLScan. dll;

Allowlatescanning: allows other URLs to be filtered before URLScan. The default value is 0;

Alternateservername: Replace the service name. If this section exists and the [removeserverheader] section is set to 0, IIS will replace the default server name here ";

Normalizeurlbeforescan: standardizes the URL before detecting the URL. If it is set to 1, URLScan checks the URL before the IIS encodes the URL. Note that, the parameter can be set to 0 only when the Administrator is familiar with URL resolution. The default value is 1;

Verifynormalization: If set to 1, URLScan verifies the URL rule. The default value is 1. This setting is related to normalizeurlbeforescan;

Allowhighbitcharacters: if it is set to 1, all bytes in the URL are allowed. If it is 0, the URL containing non-ASCII characters is rejected. The default value is 1;

Allowdotinpath: if it is set to 1, all requests containing multiple ". "URL request, because the URL detection is before IIS parses the URL, so the accuracy of this detection is not guaranteed, the default is 0;

Removeserverheader: If set to 1, the Service headers of all responses are cleared. The default value is 0;

(2) [allowverbs] section configuration

If useallowverbs is set to 1, all requests set in this section are allowed. Generally, the following requests are set:

Get, Head, post

(3) [denyverbs] section configuration

If useallowverbs is set to 0, all requests set in this section will be rejected. Generally, the following requests are set:

PROPFIND, proppatch, mkcol, delete, put, copy, move, lock, unlock

(4) [AllowExtensions] section settings

All extension files set in this section will be allowed for requests. Generally, the following requests are set:

Bytes

(5) [DenyExtensions] section settings

All file extension requests set in this section will be rejected. Based on the discovered vulnerabilities, we can add content in this section, which is generally set as follows:
. Asa, executable files, batch files, log files, and rare extensions such as shtml and. printer.
The specific settings should be determined by the specific application, otherwise the application service may fail to run. For example, if shtml is disabled, some Sina-like article systems cannot run. Install ASP. NET 2.0 and change the database extension to MDB.

Microsoft official instructions
Modify the URLScan. ini file
All configurations of URLScan are performed through the URLScan. ini file, which is located in the % WINDIR %/system32/inetsrv/URLScan folder. To configure URLScan, open the file in a text editor (such as NotePad), make changes, and save the file.

Note: to make the change take effect, you must restart Internet Information Service (IIS ). A quick implementation method is to run iisreset at the command prompt.

The URLScan. ini file contains the following sections:
[Options]: This section describes the general URLScan options.
[Allowverbs] and [denyverbs]: This section defines the predicates allowed by URLScan (also known as the HTTP method ).
[Denyheaders]: This section lists HTTP headers that are not allowed in HTTP requests. If an HTTP request contains one of the HTTP headers listed in this section, URLScan rejects the request.
[AllowExtensions] and [DenyExtensions]: This section defines the file extensions allowed by URLScan.
[Denyurlsequences]: This section lists strings that are not allowed in HTTP requests. URLScan rejects HTTP requests that contain strings that appear in this section.
This article describes each section in more detail.

[Options]
In the [Options] section, you can configure many URLScan options. Each row in this section has the following format:
Optionname = optionvalue
Available options and their default values are as follows:
Useallowverbs = 1

By default, this option is set to 1. If this option is set to 1, URLScan only allows HTTP requests that use the predicates listed in [allowverbs. URLScan prohibits any requests that do not use these predicates. If this option is set to 0, URLScan ignores the [allowverbs] section. On the contrary, only requests that use the predicates listed in the [denyverbs] section are prohibited.
Useallowextensions = 0

By default, this option is set to 0. If this option is set to 0, URLScan disables requests for file extensions listed in [DenyExtensions], but allows requests for any other file extensions. If this option is set to 1, URLScan only allows requests for files with the extension listed in [AllowExtensions], rather than requests for any other files.
Normalizeurlbeforescan = 1

IIS receives a URL-encoded request. This indicates that some characters may be replaced with a percent sign (%) followed by a specific number. For example, % 20 corresponds to a space. Therefore, requests for http: // myserver/My % 20dir/my1_20file.htm and requests for http: // myserver/My DIR/My file.htm requests are the same. Standardization is the process of decoding URL encoding requests. By default, this option is set to 1. If you set the normalizeurlbeforescan option to 1, URLScan analyzes decoded requests. If this option is set to 0, URLScan analyzes undecoded requests. Setting this option to 0 affects URLScan's ability to disable certain attacks.
Verifynormalization = 1

Because percent signs (%) can be URL encoded, attackers can submit a specially crafted, basically dual-encoding request to the server. In this case, IIS may accept requests that are supposed to be rejected as invalid. By default, this option is set to 1. If the verifynormalization option is set to 1, URLScan standardizes the URL twice. If the URL after the first standardization is different from the URL after the second standardization, URLScan rejects the request. This prevents attacks that depend on double encoding requests.
Allowhighbitcharacters = 0

By default, this option is set to 0. If this option is set to 0, URLScan rejects any requests that contain non-ASCII characters. This can prevent some types of attacks, but may also prohibit requests to some legal files, such as files with non-English names.
Allowdotinpath = 0

By default, this option is set to 0. If this option is set to 0, URLScan rejects all requests that contain multiple periods. This prevents attempts to disguise dangerous file extensions in requests by placing secure file extensions in the URL path information or querying the string. For example, if you set this option to 1, URLScan may allow requests to http: // servername/badfile.exe/safefile.htm because it considers this request to be an HTML page, however, this is actually a request for the executable (.exe) file, and the file name is displayed as the HTML page name in the path_info area. If you set this option to 0, URLScan may also reject requests for directories containing periods.
Removeserverheader = 0

By default, the web server returns a header indicating the web server software that the Web server runs in all responses. This increases the possibility of attacks on the server, because attackers can determine that the server is running IIS, so they can attack known IIS problems, instead of attempting to use attack methods designed for other Web servers to attack IIS servers. By default, this option is set to 0. If you set the removeserverheader option to 1, you can prevent your server from sending the header that identifies it as the IIS server. If removeserverheader is set to 0, this header is still sent.
Alternateservername = (not specified by default)

If you set removeserverheader to 0, you can specify a string in the alternateservername option to specify the content that will be returned in the server header. If removeserverheader is set to 1, this option is ignored.
Enablelogging = 1

By default, URLScan retains the complete logs of all prohibited requests in % WINDIR %/system32/inetsrv/URLScan. If you do not want to retain this log, you can set enablelogging to 0.
Perprocesslogging = 0

By default, this option is set to 0. If this option is set to 1, URLScan creates a separate log for each process that hosts URLScan. dll. If this option is set to 0, all processes are recorded in the same file.
Perdaylogging = 1

By default, this option is set to 1. If this value is set to 1, URLScan creates a new log file every day. The name of each log file is URLScan. mmddyy. Log, where mmddyy is the date of the log file. If this value is set to 0, all log records are saved in the same file, regardless of the date.
Allowlatescanning = 0

By default, this option is set to 0. If this option is set to 0, URLScan runs as a high-priority filter, which means it is executed prior to all other Internet server application programming interfaces (ISAPI) filters installed on the server. If this option is set to 1, URLScan runs as a low-priority filter so that other filters can modify the URL before URLScan performs any analysis. FrontPage Server Extensions (FPSE) requires that this option be set to 1.
Rejectresponseurl = (not specified by default)

This option specifies the virtual path of the file that runs when URLScan disables the request. This allows you to customize the response sent to the client for forbidden requests. You must specify the rejectresponseurl as the virtual path of the corresponding file, such as/path/to/rejectresponsehandler. asp. You can specify files normally prohibited by URLScan, such as the Active Server Pages (ASP) page. You can also specify the following server variables from this page:
Http_urlscan_status_header: this variable specifies the reason for the request being disabled.
Http_urlscan_original_verb: this variable specifies the original predicates (such as get, post, Head, or debug) in the forbidden request ).
Http_urlscan_original_url: this variable specifies the original URL in the forbidden request.
If you set the rejectresponseurl to a special value /~ *, URLScan uses the log-only mode. This allows IIS to provide services for all requests, but it will add corresponding items for all normally prohibited requests in the URLScan log. This is useful when you need to test the URLScan. ini file.

If the rejectresponseurl value is not specified, URLScan uses the default value/<rejected-by-URLScan>.

Usefastpathreject = 0

By default, this option is set to 0. If this option is set to 1, URLScan ignores the rejectresponseurl setting and immediately Returns Error 404 to the browser. This is faster than processing the rejectresponseurl, but it does not allow that many logging options. If this option is set to 0, URLScan uses the rejectresponseurl setting to process the request.
[Allowverbs] and [denyverbs]
The [allowverbs] and [denyverbs] sections Define the HTTP predicates (also called methods) allowed by URLScan ). Common HTTP predicates include get, post, Head, and put. Other applications (such as FPSE and Web Distributed creation and Version Control (webDAV) use more predicates.

The syntax of the [allowverbs] and [denyverbs] sections is the same. They are composed of an HTTP predicate list. Each predicate occupies one row.

URLScan determines which section to use based on the useallowverbs option value in the [Options] section. By default, this option is set to 1. If useallowverbs is set to 1, URLScan only allows requests that use the predicates listed in [allowverbs. Requests that do not use any of these predicates will be rejected. In this case, the [denyverbs] section is ignored.

If useallowverbs is set to 0, URLScan rejects requests that use the predicates explicitly listed in [denyverbs. Allow any requests that use predicates that do not appear in this section. In this case, URLScan ignores the [allowverbs] section.

[Denyheaders]
When a client requests a page from a Web server, it usually sends HTTP headers containing other information about the request. Common HTTP headers include:
Host:

This header contains the name of the Web server.
Accept:

This header defines the types of files that can be processed by the client.
User-Agent:

This header contains the name of the browser on the request page.
Authorization:

This header defines the authentication methods supported by the client.
The client may send other headers to the server to specify other information.

In the [denyheaders] section, you define the HTTP header that URLScan will reject. If the request received by URLScan contains any headers listed in this section, it rejects the request. This section consists of the HTTP header list, where each header occupies one row. The header name must be followed by a colon (:) (for example, header-name :).

[AllowExtensions] and [DenyExtensions] sections
Most files have a file extension that identifies the file type. For example, the file name of a Word document generally ends with. Doc, HTML file name generally ends with. htm or. html, and plain text file name generally ends with. txt. The [AllowExtensions] and [DenyExtensions] sections allow you to define the extension that URLScan will disable. For example, you can configure URLScan to reject requests to. EXE files and prevent web users from executing applications on your system.

The syntax of the [AllowExtensions] and [DenyExtensions] sections is the same. They are composed of a list of file extensions, each of which occupies one row. The extension starts with a period (.) (for example,. ext ).

URLScan determines which section to use based on the useallowextensions value in the [Options] section. By default, this option is set to 0. If useallowextensions is set to 0, URLScan rejects only requests for the file extension listed in [DenyExtensions. Any file extensions not listed in this section are allowed. The [AllowExtensions] section is ignored.

If useallowextensions is set to 1, URLScan rejects requests for any file extensions not explicitly listed in [AllowExtensions. Only requests with file extensions listed in this section are allowed. The [DenyExtensions] section is ignored.

For more information about how to configure URLScan to allow requests for files without an extension, click the following article number to view the article in the Microsoft Knowledge Base:
312376 (http://support.microsoft.com/kb/312376/) how to configure URLScan to allow requests with a null extension in IIS
[Denyurlsequences]
You can configure URLScan to disable requests whose URLs contain certain character sequences. For example, you can disable requests that contain two consecutive periods (..). This method is often used in attacks that exploit the directory traversal vulnerability. To specify a sequence of characters that you want to disable, place the sequence on a single row in the [denyurlsequences] section.

Note that adding character sequences may negatively affect Outlook Web Access (OWA) of Microsoft Exchange. When you open an email from OWA, the subject line of the email is included in the URL requested by the server. Because URLScan. the INI file prohibits any requests that contain percent signs (%) and hyphens (&). Therefore, when you try to open an email with the subject behavior "sales increase by 100%" or "Bob & Sue are coming to town", you will receive the 404 error message. To solve this problem, you can delete these sequences from the [denyurlsequences] section. Please note that this will reduce security because it may allow dangerous requests to reach the server.

------------------
• Install URLScan 2.0 without iislockdown: to install URLScan without iislockdown, you must manually extract it from the IIS Lockdown tool. First, save iislockd.exe to a directory. Then, to extract the URLScan Installation File, run the following command from the command line in the directory where iislockd.exe is installed:

Iislockd.exe/Q/C

This unpacks urlscan.exe, which is the URLScan installer.

The installation path is the same as that of the general software. However, the installation path cannot be selected. After the installation is complete, you can find the following files in the system32/inetsvr/URLScan directory:

------------------