Microsoft KB Archive/309508

= IIS lockdown and URLscan configurations in an Exchange environment =

Article ID: 309508

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Exchange Server 2000 Service Pack 1
 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Exchange 2000 Enterprise Server

-



This article was previously published under Q309508





SYMPTOMS
Note This article refers to issues with Exchange 2000 and Exchange Server 5.5 when you apply the IIS lockdown tool version 1.0. Microsoft recommends that you download the latest version of the IIS lockdown tool:

http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

309677 XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment

The Internet Information Services (IIS) security tools, IISlockD and URLscan, must be configured appropriately for Exchange. This article describes the configuration that is required for these tools in Exchange 2000 Server and Exchange Server 5.5 environments. Typical symptoms of incorrect of IISlockD and URLscan configuration include:  Microsoft Outlook Web Access (OWA). When you gain access to OWA, your mail items, Calendar items, and Contacts may be missing. In addition, if you attempt to gain access to OWA from a browser on the Exchange 2000 server, you may receive the following error message:

A Runtime Error has occurred.

Do you wish to Debug?

Line: 878

Error: The handle is in the wrong state for the requested operation

 Exchange System Manager. When you try to click to expand the public folder tree in Exchange System Manager, you may receive the following error message:

The object is no longer available. Press F5 to refresh the display, and then try again.

ID no: 80040e19

Exchange System Manager

 Exchange System Manager. When you try to expand the public folder tree in Exchange System Manager, you may receive the following error message:

The operation failed due an internal server error. c1030af2

 Exchange Instant Messaging. When you try to sign in to Exchange Instant Messaging, you may receive the following error message:

Signing in to Microsoft Exchange Instant Messaging failed because the service is temporarily unavailable. Please try again later.





CAUSE
This issue can occur because the default configuration of the IISlockD and URLScan security tools assumes that the server is serving static content only. Exchange 2000 components use Web Distributed Authoring and Versioning (WebDAV) and other Hypertext Transfer Protocol (HTTP) verbs that are not allowed by the default configuration. Exchange Server 5.5 components use Active Server Pages (ASP) that are disabled by default.



RESOLUTION
Please examine these settings carefully before you apply them to your server. They are designed to allow Exchange 2000 Server and Exchange Server 5.5 to work optimally, but may have other effects which you may not expect. For example, the URLscan INI settings below will affect IIS. If you read the &quot;DenyExtensions&quot; section of the INI settings below, you can see that these settings prevent IIS from serving most forms of content other than static .HTM or .HTML pages.

IIS Lockdown on Exchange 2000 Servers
In Exchange 2000 environments, the lockdown tool does not accommodate Exchange installable file system (IFS) mounted drives (typically drive M). To use the lockdown tool on Exchange 2000 servers:  Run IISlockD.exe.</li> Click Advanced Lockdown, and then click Next.</li> The Remove Script Mappings dialog box is displayed: <ol style="list-style-type: lower-alpha;"> If the Disable support for Active Server Pages (.asp) check box is selected, the OWA Multimedia button does not function and the Log Off button does not function. The following Microsoft Knowledge Base article describes the process to disable the multimedia button for customers who do not have a unified messaging solution:

288119 XWEB: How to Disable the Multimedia Button in OWA

When Active Server Pages (ASP) pages are disabled, unified messaging still functions with the WAV file attachment.</li> If the Disable support for the .HTR scripting (.htr) check box is selected, the OWA Change Password feature does not function. This OWA feature is disabled by default. The following Knowledge Base article describes the process to hide the Change Password button in OWA:

297121 XWEB: How to Hide the Change Password Button on the Outlook Web Access Options Page

</li></ol> </li> Click Next.</li> The Additional Lockdown Actions dialog box is displayed: <ol style="list-style-type: lower-alpha;"> Click to clear the Disable Distributed Authoring and Versioning (WebDAV) check box.</li> Click to clear the Set file permissions to prevent the IIS anonymous users from writing to content directories check box. This excludes the IIS virtual directories that are mapped to Exchange IFS.</li></ol> </li> Click Next, and then click Yes to complete the lockdown process.</li></ol>

To manually set the file permissions for the IIS anonymous user, set an explicit Deny All Access Control Entry (ACE) for anonymous Web users for each IIS virtual directory: <ol> Start the Internet Services Manager Microsoft Management Console (MMC).</li> Click to expand the Default Web Site.</li> For each virtual directory: <ol style="list-style-type: lower-alpha;"> Click to select a virtual directory, right-click the virtual directory, and then click Properties.</li> On the Virtual Directory tab, note the local path.</li> Start Microsoft Windows Explorer, and then locate the local path folder.</li> <li>Right-click the folder, and then click Properties.</li> <li>Click the Security tab.</li> <li>Click Add.</li> <li>Click to select the _Web Anonymous Users and _Web Applications accounts, and then click OK.</li> <li>Click to select the _Web Anonymous Users account, and then deny Full Control ACE.</li> <li>Click to select the _Web Applications account, and then deny Full Control ACE.</li></ol> </li> <li>Repeat step 3 for each virtual directory, excluding the Exchange and Exadmin virtual roots.</li></ol>

IIS Lockdown on Exchange Server 5.5 Computers
To use the lockdown tool on Exchange Server 5.5 computers: <ol> <li>Start IISlockD.exe.</li> <li>Click Advanced Lockdown, and then click Next.</li> <li>The Remove Script Mappings dialog box is displayed <ol style="list-style-type: lower-alpha;"> <li>Click to clear the Disable support for Active Server Pages (.asp) check box.</li> <li>If the Disable support for the .HTR scripting (.htr) check box is selected, the OWA Change Password feature does not function. Click Next.</li></ol> </li> <li>The Additional Lockdown Actions dialog box is displayed.</li> <li>Click Next, and then click Yes to complete the lockdown process.</li></ol>

If you already ran the IIS Lockdown tool against your Exchange Server 5.5 OWA server with all of the options selected, to restore functionality: <ul> <li>OWA: <ol> <li>Start Internet Services Manager.</li> <li>Click to expand the Default Web Site, right-click the Exchange virtual directory, and then click Properties.</li> <li>Click the Virtual Directory tab, and then click Configuration.</li> <li>Click the .ASP mapping, and then click Edit. The IIS Lockdown tool updates this mapping to 404.dll. Change the mapping to asp.dll. On Microsoft Windows NT 4.0-based computers, add &quot;PUT, DELETE&quot; to the Method Exclusions box. On Microsoft Windows 2000-based computers, make sure that the Limit to check box is selected, and that the Limit to box contains &quot;GET, HEAD, POST, TRACE&quot;.</li> <li>Click OK to close the properties.</li></ol> </li> <li>Change Password: <ol> <li>Re-create the Iisadmpwd virtual directory that was deleted.For additional information about how to re-create the Iisadmpwd virtual directory, click the article number below to view the article in the Microsoft Knowledge Base:

301428 Troubleshooting Outlook Web Access from an IIS Perspective

</li> <li>By default, the mappings for &quot;.htr&quot; files are also removed. Restore the mapping for &quot;.htr&quot; files: <ol style="list-style-type: lower-alpha;"> <li>Start Internet Services Manager.</li> <li>Right-click the Default Web Site, and then click Properties.</li> <li>Click the Home Directory tab, and then click Configuration.</li> <li>Click the .htr mapping, and then click Edit. The IIS Lockdown tool updates this mapping to 404.dll. Change the mapping to ism.dll.</li> <li>Click OK to close the properties.</li></ol> </li></ol> </li></ul>

back to list of sections

URLscan on Exchange 2000 Servers
For more information about using Exchange 2003 and URLscan, click the following article number to view the article in the Microsoft Knowledge Base:

823175 Fine-tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment

This section contains URLscan configuration files for the following components:
 * OWA
 * Exchange System Manager
 * Instant Messaging
 * Web folders

Please note that after you add the DenyUrlSequences section to the URLScan.ini file, you may not be able to open mail messages via Outlook Web Access (OWA) if the Subject line of the mail message contains these special characters. Administrators should review the URLscan log file in %windir%\system32\inetsrv\urslscan folder for assistance in resolving these issues.

If multiple services are installed on a single server, you need to merge the configuration files to ensure that all of the components continue to function.

Open the Urlscan.ini file in the following location:

\System32\Inetsrv\Urlscan

Modify the Urlscan.ini file based on the Exchange computer role.

If you encounter further difficulties when you attempt HTTP requests with URLScan enabled, check the Urlscan.log file for the list of requests that are being rejected. The default location of the Urlscan.log file is:

\System32\Inetsrv\Urlscan

OWA
The URLscan configuration file for OWA is as follows (if Change Password functionality is required, you must remove the &quot;.htr&quot; file extension from the Deny Extensions section):

[Options]

UseAllowVerbs=1

UseAllowExtensions=0

NormalizeUrlBeforeScan=1

VerifyNormalization=1

AllowHighBitCharacters=1

AllowDotInPath=1

RemoveServerHeader=0

EnableLogging=1

PerProcessLogging=0

AllowLateScanning=0

[AllowVerbs]

GET

POST

SEARCH

POLL

PROPFIND

BMOVE

BCOPY

SUBSCRIBE

MOVE

PROPPATCH

BPROPPATCH

DELETE

BDELETE

MKCOL

[DenyVerbs]

[DenyHeaders]

If:

Lock-Token:

[DenyExtensions]

.asp

.cer

.cdx

.asa

.exe

.bat

.cmd

.com

.htw

.ida

.idq

.htr

.idc

.shtm

.shtml

.stm

.printer

.ini

.log

.pol

.dat

[DenyUrlSequences]

..

./

\

%

&

Exchange System Manager for Public Folder Management
The URLscan configuration file for Exchange System Manager management of Public Folders is as follows:

[Options]

UseAllowVerbs=1

UseAllowExtensions=0

NormalizeUrlBeforeScan=1

VerifyNormalization=1

AllowHighBitCharacters=1

AllowDotInPath=1

RemoveServerHeader=0

EnableLogging=1

PerProcessLogging=0

AllowLateScanning=0

[AllowVerbs]

PROPFIND

SEARCH

PROPPATCH

DELETE

MKCOL

MOVE

COPY

OPTIONS

[DenyVerbs]

[DenyHeaders]

If:

Lock-Token:

[DenyExtensions]

.asp

.cer

.cdx

.asa

.exe

.bat

.cmd

.htw

.ida

.idq

.htr

.idc

.shtm

.shtml

.stm

.printer

.ini

.log

.pol

.dat

Note You can add .com to the DENYEXTENSIONS list if internal Domain Name System (DNS) does not contain .com.

[DenyUrlSequences]

..

./

\

%

&

Instant Messaging
The URLscan configuration file for Instant Messaging is as follows:

[Options]

UseAllowVerbs=1

UseAllowExtensions=0

NormalizeUrlBeforeScan=1

VerifyNormalization=1

AllowHighBitCharacters=1

AllowDotInPath=1

RemoveServerHeader=0

EnableLogging=1

PerProcessLogging=0

AllowLateScanning=0

[AllowVerbs]

SUBSCRIBE

UNSUBSCRIBE

SUBSCRIPTIONS

NOTIFY

POLL

PROPFIND

PROPPATCH

ACL

[DenyVerbs]

[DenyHeaders]

If:

Lock-Token:

[DenyExtensions]

.asp

.cer

.cdx

.asa

.exe

.bat

.cmd

.com

.htw

.ida

.idq

.htr

.idc

.shtm

.shtml

.stm

.printer

.ini

.log

.pol

.dat

[DenyUrlSequences]

..

./

\

%

&

Web Folders
The URLscan configuration file for Web folders is as follows:

[Options]

UseAllowVerbs=1

UseAllowExtensions=0

NormalizeUrlBeforeScan=1

VerifyNormalization=1

AllowHighBitCharacters=1

AllowDotInPath=1

RemoveServerHeader=0

EnableLogging=1

PerProcessLogging=0

AllowLateScanning=0

[AllowVerbs]

GET

PROPFIND

MOVE

BCOPY

DELETE

BDELETE

MKCOL

OPTIONS

LOCK

UNLOCK

PUT

[DenyVerbs]

[DenyHeaders]

Translate:

If:

Lock-Token:

[DenyExtensions]

.asp

.cer

.cdx

.asa

.exe

.bat

.cmd

.com

.htw

.ida

.idq

.htr

.idc

.shtm

.shtml

.stm

.printer

.ini

.log

.pol

.dat

[DenyUrlSequences]

..



./

\

%

&

Custom WebDAV Programs
You need to review any custom programs that were developed on the Exchange 2000 store for the list of DAV verbs that are used. Add these verbs to the AllowVerbs section of a URLscan configuration file and apply that file to the servers that host the custom program.

URLscan on Exchange Server 5.5 Computers
Please note that after you add the DenyUrlSequences section to the URLScan.ini file, you may not be able to open mail messages via Outlook Web Access (OWA) if the Subject line of the mail message contains these special characters. Administrators should review the URLscan log file in %windir%\system32\inetsrv\urslscan folder for assistance in resolving these issues.

The URLscan configuration file for OWA is as follows (if Change Password functionality is required, you must remove the &quot;.htr&quot; file extension from the Deny Extensions sections):

[Options]

UseAllowVerbs=1

UseAllowExtensions=0

NormalizeUrlBeforeScan=1

VerifyNormalization=1

AllowHighBitCharacters=1

AllowDotInPath=0

RemoveServerHeader=0

EnableLogging=1

PerProcessLogging=0

AllowLateScanning=0

AlternateServerName=

[AllowVerbs]

GET

HEAD

POST

[DenyVerbs]

PROPFIND

PROPPATCH

MKCOL

DELETE

PUT

COPY

MOVE

LOCK

UNLOCK

[DenyHeaders]

Translate:

If:

Lock-Token:

[DenyExtensions]

.exe

.bat

.cmd

.com

.htw

.ida

.idq

.idc

.shtm

.shtml

.stm

.printer

.ini

.log

.pol

.dat

.htr

[DenyUrlSequences]

..

./

\



%

&

Additional query words: UM ESM IM XCCC

Keywords: kbprb KB309508

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.