|
|
The URLScan cnfiguration stored in a single file named URLScan.ini file, which is located in the %WINDIR%\System32\Inetsrv\URLscan\ folder & holds all URLScan settings. To configure URLScan, just edit thet file in a text editor such as Notepad, make the changes, and then save the file & restart IIS services. |
Changes made int the configuration file will not take effect untill Internet Information Services (IIS) is restarted. One way you can do this quickly is to run the IISRESET command at a command prompt.
By default, this option is set to 1. If this option is set to 1, URLScan only permits HTTP requests that use the verbs that are listed in the [AllowVerbs] section. URLScan blocks any requests that do not use these verbs. If this option is set to 0, URLScan ignores the [AllowVerbs] section, and instead blocks only requests that use verbs that are listed in the [DenyVerbs] section.
By default, this option is set to 0. If this option is set to 0, URLScan blocks requests for file name extensions that are listed in the [DenyExtensions] section, but permits requests for any other file name extensions. If this option is set to 1, URLScan only permits requests for files with extensions that are listed in the [AllowExtensions] section, and it blocks requests for any other files.
IIS receives requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for http://myserver/My%20Dir/My%20File.htm is the same as a request for http://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests. By default, this option is set to 1. If the NormalizeUrlBeforeScan option is set to 1, URLScan analyzes the decoded request. If it is set to 0, URLScan analyzes the undecoded request instead. Setting this option to 0 hinders the ability of URLScan to block certain kinds of attacks.
Because the percent sign (%) itself can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, IIS may accept a request that it would otherwise reject as not valid. By default, this option is set to 1. If the VerifyNormalization option is set to 1, URLScan normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, URLScan rejects the request. This prevents attacks that rely on double-encoded requests.
By default, this option is set to 0. If this option is set to 0, URLScan rejects any requests that contain non-ASCII characters. This can prevent certain types of attacks, but it may also block out requests for certain legitimate files, such as files with non-English names.
By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it thinks that it is a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set 0, URLScan may also deny requests for directories that contain periods.
By default, a Web server returns a header that identifies what Web server software it is running in all responses. This can increase the server vulnerability because an attacker can determine that a server is running IIS and then attack known IIS problems, instead of trying to attack an IIS server by using exploits that are designed for other Web servers. By default, this option is set to 0. If you set the RemoveServerHeader option to 1, you prevent your server from sending the header that identifies it as an IIS server. If you set RemoveServerHeader to 0, this header is still sent.
If RemoveServerHeader is set to 0, you can specify a string in the AlternateServerName option to specify what will be passed back in the Server header. If RemoveServerHeader is set to 1, this option is ignored.
By default, URLScan keeps a complete log of all blocked requests in %WINDIR%\System32\Inetsrv\URLScan. You can set EnableLogging to 0 if you do not want to keep this log.
By default, this option is set to 0. If this option is set to 1, URLScan creates a separate log for each process that hosts URLScan.dll. If it is set to 0, all processes log to the same file.
By default, this option is set to 1. If this value is set to 1, URLScan creates a new log file each day. Each log file is named Urlscan.MMDDYY.log, where MMDDYY is the date of the log file. If this value is set to 0, all logging is saved in the same file, regardless of the date.
By default, this option is set to 0. If this option is set to 0, URLScan runs as a high-priority filter, which means that it executes before any other Internet Server Application Programming Interface (ISAPI) filters that are installed on the server. If this option is set to 1, URLScan runs as a low-priority filter, so that other filters can modify the URL before URLScan performs any analysis. FrontPage Server Extensions (FPSE) requires this option to be set to 1.
This option specifies the virtual path to a file that runs when URLScan blocks a request. This permits you to customize the response that is sent to the client for blocked requests. You must specify RejectResponseUrl as a virtual path to the appropriate file, such as /Path/To/RejectResponseHandler.asp. You can specify a file that URLScan typically blocks, such as an Active Server Pages (ASP) page. You can also use the following server variables from the page:
HTTP_URLSCAN_STATUS_HEADER: This specifies why the request has been blocked.
HTTP_URLSCAN_ORIGINAL_VERB: This specifies the original verb from the blocked request (for example, GET, POST, HEAD, or DEBUG).
HTTP_URLSCAN_ORIGINAL_URL: This specifies the original URL from the blocked request. If you set RejectResponseUrl to the special value of /~*, URLScan uses logging-only mode. This permits IIS to serve all requests, but it adds an entry to the URLScan log for any requests that are typically blocked. This is useful if you want to test your URLScan.ini file.
If you do not specify a value for RejectResponseUrl, URLScan uses the default value of /<Rejected-By-UrlScan>.
By default, this option is set to 0. If this option is set to 1, URLScan ignores the RejectResponseUrl setting and immediately returns a 404 error message to the browser. This is faster than processing RejectResponseUrl, but it does not permit as many logging options. If this option is set to 0, URLScan uses the RejectResponseUrl setting to process the request.
|
|
The [AllowVerbs] and [DenyVerbs] sections define the HTTP verbs (also known as methods) that
URLScan permits. Common HTTP verbs include GET, POST, HEAD, and PUT. Other
applications, such as FPSE and Web Distributed Authoring and Versioning
(WebDAV), use additional verbs. Both the [AllowVerbs] and the [DenyVerbs] sections have the same syntax. They are made up of a list of HTTP verbs, and each verb appears on its own line. URLScan decides which section to use based on the value of the UseAllowVerbs option in the [Options] section. By default, this option is set to 1. If UseAllowVerbs is set to 1, URLScan only permits requests that use the verbs that are listed in the [AllowVerbs] section. A request that does not use one of these verbs is rejected. In this case, the [DenyVerbs] section is ignored. |