Use this step-by-step guide to install and configure the URLScan utility for
Microsoft Internet Information Services (IIS). You can download URLScan from
the Microsoft Web site by using the steps in this article. URLScan is
designed to help your Web server be more secure.
Download and install the IIS Lockdown Wizard
URLScan is now part of the IIS Lockdown Wizard. For more information about
how to install the IIS Lockdown Wizard, click the following article number
to view the article in the Microsoft Knowledge Base:
325864
How to install and use
the IIS Lockdown Wizard
Modify the default URLScan configuration file
The default configuration for URLScan may interfere with Microsoft FrontPage
2003 or Microsoft SharePoint Designer 2007 functionality. To allow FrontPage
or SharePoint Designer to work correctly and yet deny access to sensitive
FrontPage or SharePoint Designer files, you have to make changes that this
section describes. These steps are only a suggestion. For additional
information about settings for URLScan, see the "
| 1. |
Right-click the Start
menu, click Explore, and then
locate the following folder (where %windir% is your
Windows folder, such as C:\Windows or C:\Winnt):
%windir% \system32\inetsrv\urlscan
|
| 2. |
Right-click the
Urlscan.ini file, and then click
Copy. |
| 3. |
Right-click the folder, and then click
Paste.
A copy of the file is created and named Copy of Urlscan.ini.
|
| 4. |
Double-click the
Urlscan.ini file (the file opens in Notepad). |
| 5. |
Make the following changes:
| a. |
In the [options] section, set the
following values:
[options]
UseAllowVerbs=1 ; use the [AllowVerbs] section
UseAllowExtensions=0 ; use the [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; canonicalize URL before processing
VerifyNormalization=1 ; canonicalize URL twice, reject on change
AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters
AllowDotInPath=0 ; deny dots in path
EnableLogging=1 ; log activity
PerDayLogging=1 ; change log files daily
PerProcessLogging=0 ; do not change log files by process ID
RemoveServerHeader=0 ; do not remove"Server" header
AlternateServerName=
UseFastPathReject=0 ; use RejectResponseUrl or log the request
RejectResponseUrl=
AllowLateScanning=1 ; allow URLScan to be loaded low priority
|
| b. |
In the [AllowVerbs] section, use the
following values only. Do not include other values.
[AllowVerbs]
GET ; allow GET (most Web requests)
HEAD ; allow HEAD requests
OPTIONS ; allow OPTIONS (Web Folders need this)
POST ; allow POST (FPSE and HTML forms need this)
|
| c. |
In the [DenyHeaders] section, use the
following values only. Do not include other values.
[DenyHeaders]
If: ; deny (used with WebDAV)
Lock-Token: ; deny (used with WebDAV)
|
| d. |
In the [DenyExtensions] section, set
the following values:
[DenyExtensions]
.asa ; deny active server application definition files
.bat ; deny batch files
.btr ; deny FrontPage/SharePoint Designer dependency files
.cer ; deny x509 certificate files
.cdx ; deny dynamic channel definition files
.cmd ; deny batch files
.cnf ; deny FrontPage/SharePoint Designer metadata files
.com ; deny server command-line applications
.dat ; deny data files
.evt ; deny Event Viewer logs
.exe ; deny server command-line applications
.htr ; deny IIS legacy HTML admin tool
.htw ; deny Index Server hit-highlighting
.ida ; deny Index Server legacy HTML admin tool
.idc ; deny IIS legacy database query files
.inc ; deny include files
.ini ; deny configuration files
.ldb ; deny Microsoft Access Record-Locking Information files
.log ; deny log files
.pol ; deny policy files
.printer ; deny Internet Printing Services
.sav ; deny backup registry files
.shtm ; deny IIS Server Side Includes
.shtml ; deny IIS Server Side Includes
.stm ; deny IIS Server Side Includes
.tmp ; deny temporary files
|
| e. |
In the [DenyUrlSequences] section, set
the following values:
[DenyUrlSequences]
.. ; deny directory traversals
./ ; deny trailing dot on a directory name
\ ; deny backslashes in URL
: ; deny alternate stream access
% ; deny escaping after normalization
& ; deny multiple CGI processes to run on a single request
/fpdb/ ; deny browse access to FrontPage/SharePoint Designer database files
/_private ; deny FrontPage/SharePoint Designer private files (often form results)
/_vti_pvt ; deny FrontPage/SharePoint Designer Web configuration files
/_vti_cnf ; deny FrontPage/SharePoint Designer metadata files
/_vti_txt ; deny FrontPage/SharePoint Designer text catalogs and indices
/_vti_log ; deny FrontPage/SharePoint Designer authoring log files
|
| f. |
Because these settings do not use the [DenyVerbs]
and [AllowExtensions] sections, no settings for these
sections are included in this article. For additional
information about these sections of the configuration
file, click the following article number to view the
article in the Microsoft Knowledge Base:
307608
INFO: Using URLScan on IIS
|
|
| 6. |
Save the file, and then quit Notepad. |
Change The URLScan priority (optional)
The
default priority for the URLScan tool in IIS is high. A high priority may
interfere with other Internet Server Application Programming Interface (ISAPI)
filters that have to perform tasks before URLScan is called. The FrontPage
Server Extensions (Fpexedll.dll) ISAPI filter is one such filter. Although
the information in this section explains how to configure URLScan to load
after the Fpexedll.dll ISAPI filter, you can easily adapt this procedure to
configure URLScan with other ISAPI filters. For more information, see the
documentation for the ISAPI filter that you are using.
Note Before you can complete the following steps, you must correctly
set the "AllowLateScanning=1" setting in the Urlscan.ini file to load
URLScan as a low priority filter. To do so, follow the steps in the "Modify
the Default URLScan Configuration File" section of this article.
| 1. |
Start the Internet Services Manager. To do so,
follow the steps that are appropriate to your version of IIS:
| � |
In IIS 4.0:
| a. |
In Windows, click
Start, point to
Programs, and
then click Windows NT 4.0
Option Pack. |
| b. |
Point to
Microsoft Internet Information Server,
and then click Internet
Service Manager.
|
|
| � |
In IIS 5.0:
| a. |
In Windows, click
Start, point to
Programs, and
then click Administrative
Tools. |
| b. |
Click
Internet Services Manager.
|
|
| � |
In IIS 5.1:
| a. |
In Windows, click
Start, and then
click Control Panel.
|
| b. |
Double-click
Administrative Tools.
|
| c. |
Double-click
Internet Information
Services. |
|
|
| 2. |
Right-click your server name, and then click
Properties. |
| 3. |
Select the WWW Service
master properties option, and then click
Edit. |
| 4. |
Click the ISAPI Filters
tab. |
| 5. |
Click UrlScan,
and then click Down to move
UrlScan below
Fpexedll.dll. |
| 6. |
Click OK. |
| 7. |
Click OK again.
|
Restart IIS to update URLScan
When IIS
starts, URLScan is loaded in memory and reads the settings in the
Urlscan.ini file. Therefore, you have to restart IIS so that the new
configuration settings take effect. To do so, follow the steps that are
appropriate to your version of IIS:
| � |
In IIS 4.0:
| a. |
At a command prompt, type the following
command:
NET STOP"IIS Admin Service"
/Y
|
| b. |
If you see several dependant services
listed as they are stopped, write down the names so that
you can restart these services later. |
| c. |
When you receive the following message:
The IIS Admin Service service was stopped
successfully.
restart each IIS service by name. To do so, type the
following commands at the command prompt, and press
ENTER after each line:
NET START"World Wide Web Publishing Service"
NET START"Simple Mail Transfer Protocol (SMTP)"
NET START"FTP Publishing Service"
|
| d. |
Quit the command prompt. |
|
| � |
In IIS 5.0:
| a. |
Right-click My
Computer, and then click
Restart IIS. |
| b. |
Click Restart
Internet Services on Your Computer.
|
| c. |
Click OK.
|
|
| � |
In IIS 5.1:
| a. |
Right-click My
Computer, point to All
Tasks, and then click
Restart IIS.
|
| b. |
Click Restart
Internet Services on Your Computer.
|
| c. |
Click OK.
|
|
