Microsoft KB Archive/311595

= XCCC: How to Install and Configure Microsoft Security Tool Kit On a Microsoft Mobile Information Server =

Article ID: 311595

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Mobile Information Server 2001 Enterprise Edition
 * Microsoft Mobile Information Server 2002 Enterprise Edition

-



This article was previously published under Q311595



SUMMARY
This article describes how to install and configure the Internet Information Services (IIS) Lockdown tool on a Microsoft Mobile Information Server Enterprise Edition server. The IIS Lockdown tool is included in the Microsoft Security Toolkit.

For more information about why particular settings are required for the Security Toolkit on a server that is running Mobile Information Server, refer to the Releasenotes.htm file. The Releasenotes.htm file is located in the Docs folder, on the installation media.



MORE INFORMATION
To install the Microsoft Security Tool Kit on the server that is running Mobile Information Server, complete the following steps:  Run Setup from the Microsoft Security Tool Kit installation media. Install all of the updates, and then use the default settings until the IIS Lockdown Wizard Setup begins. Double-click Services in Control Panel, and then manually stop the Mobile Information Server Message Processor service. Click Next to start IIS Lockdown Wizard. After you read the License Agreement, click I agree, and then click Next. On the Server templates page, click Other (Server that does not match any of the listed roles), and then click Next. Make sure that the Web service (HTTP) and the E-mail service (SMTP) checkboxes are selected, disable any other installed services, including File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP), and then click Next.</li> On the Script Maps page, clear the Active Server Pages (.asp) check box. Make sure the other check boxes maintain their default settings, and then click Next.</li> Accept the default setting on the Additional Security page, and then click Next.</li> Make sure that the Install URLScan filter on the server check box is selected, and then click Next.</li> To apply the changes, click Next on the Ready to Apply Settings page.</li> Open the Urlscan.ini file at the following location:

C:\Winnt\System32\Inetsrv\Urlscan

</li> Change the AllowHighBitCharacters= value to equal 1.</li> Click Next, and then click Finish.</li></ol>

If you are running Exchange Notifications, complete the following steps on Exchange 2000 Server: <ol> Run Setup from the Microsoft Security Tool Kit installation media.</li> Install all of the updates, and then use the default settings until the IIS Lockdown Wizard Setup begins.</li> Click Next to start IIS Lockdown Wizard.</li> After you have read the License Agreement, click I agree, and then click Next.</li> On the Server templates page, choose Exchange Server 2000, and then click Next.</li> Make sure that the Install URLScan filter on the server check box is selected, and then click Next.</li> To apply the changes, click Next on the Ready to Apply Settings page.</li> When the Setup program is complete, click Next, and then click Finish.</li> <li>Open the Urlscan.ini file at the following location:

C:\Winnt\System32\Inetsrv\Urlscan

</li> <li>Change the AllowDotInPath= value to equal 1.</li> <li>Scroll to the [AllowVerbs] section, type BPROPFIND to the list of allowed verbs, and then save the .ini file. In addition, consider the following information, included in the Releasenotes.htm file on the installation media, when you lock down the security on your Exchange Servers by running the Microsoft Security Toolkit. By default certain characters, such as the percent (%), ampersand (&), and colon are not allowed in uniform resource locators (URLs). This can cause issues when you try to perform certain actions, such as deleting a message or accepting a meeting request, if the message in question has these characters in the subject. The colon character is especially common in e-mail messages, for example replies or forwarded messages typically have a colon  in the subject. You can fix these issues by changing the [DenyUrlSequences] section of the Urlscan.ini file on Exchange Servers that have been locked down. You must remove the characters that you want to allow from the [DenyUrlSequences] list in the Urlscan.ini file. For example, this section typically appears similar to the following:

[DenyUrlSequences]

.. ; Don't allow directory traversals

./ ; Don't allow trailing dot on a directory name

\ ; Don't allow backslashes in URL


 * ; Don't allow alternate stream access

% ; Don't allow escaping after normalization

& ; Don't allow multiple CGI processes to run on a single request

Messages that include any of the characters or character sequences listed in the subject are affected. Therefore, to delete messages that include colons in the subject, when you use Microsoft Outlook Mobile Access, you must remove the following line from this section of the Urlscan.ini file on Exchange Server:



These characters are denied by default because certain security exploits use these characters in a URL. You must consider not allowing as many of these characters as possible so that you can protect yourself from such exploits. If you decide to remove some of the denied characters, you can modify the [DenyUrlSequences] setting in the Urlscan.ini file after you run the Security Toolkit on Exchange Server. After you modify the [DenyUrlSequences] setting, you must restart IIS Admin Service.</li></ol>

Additional query words: mis mmis

Keywords: kbinfo KB311595

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.