Microsoft KB Archive/313131

= HOW TO: Use URLScan with Exchange Outlook Web Access in Exchange Server 5.5 =

PSS ID Number: 313131

Article Last Modified on 12/2/2003

-

The information in this article applies to:


 * Microsoft Exchange Server 5.5

-



This article was previously published under Q313131



IN THIS TASK

 * SUMMARY
 * ** Configure URLScan.ini to Support Outlook Web Access
 * Troubleshooting



SUMMARY
This article describes how IIS administrators can use the URLScan tool to help protect their Web servers from a variety of known and unknown attacks. The URLScan ISAPI filter screens inbound requests to the Web server. The filter uses rules (configured by the administrator) to block requests that contain potentially dangerous strings that might compromise a Web server.

The URLScan.ini file includes the default URLScan settings. These default settings assume that the Web server serves static Web pages such as HTML files and images and also ASP pages. Features that are not supported by the default URLScan.ini configuration file include:
 * Outlook Web Access (OWA)
 * Front Page Server Extensions
 * WebDAV
 * Microsoft Index Server
 * Internet Printing Protocol
 * Server-Side Includes

back to the top

Configure URLScan.ini to Support Outlook Web Access
After you install the URLScan tool and configure the tool on an Outlook Web Access (OWA) server, mail, calendar, and contact items may not appear. To restore OWA functionality, you must configure the URLScan.ini file to support OWA:
 * 1) Start Windows Explorer, and then locate %SystemRoot%\System32\Inetsrv\Urlscan.
 * 2) Right-click the URLScan.ini file, and then click Open.
 * 3) If the Open With dialog box appears, click Notepad, and then click OK.
 * 4) Configure the URLScan.ini file to include the following entries:

[Options] UseAllowVerbs=1 UseAllowExtensions=0 NormalizeUrlBeforeScan=1 VerifyNormalization=1 AllowHighBitCharacters=1 AllowDotInPath=1 RemoveServerHeader=0 EnableLogging=1 PerProcessLogging=0 AllowLateScanning=0

[AllowVerbs] GET POST SEARCH POLL PROPFIND BMOVE BCOPY SUBSCRIBE MOVE PROPPATCH BPROPPATCH DELETE BDELETE MKCOL

[DenyVerbs]
 * Deny verbs are empty when supporting OWA

[DenyHeaders] If: Lock-Token:
 * the Translate header is removed from the default settings


 * [AllowExtensions]
 * Remove or comment out the AllowExtensions section

[DenyExtensions] .asp .cer .cdx .asa .exe .bat .cmd .com .htw .ida .idq .htr .idc .shtm .shtml .stm .printer .ini .log .pol .dat
 * remove the .asp extension, and remove the .htr extension to support Change Password functionality

[DenyUrlSequences] .. ./ \ % &

back to the top

Troubleshooting
It is vitally important that you update your Web servers with the latest security patches. This is even more important if you have to use any of the features in the previous list. You can find the most recent security patches at the following Microsoft Web site:

www.microsoft.com/technet/security

back to the top

Keywords: kbhowto kbHOWTOmaster KB313131

Technology: kbExchange550 kbExchangeSearch kbZNotKeyword2

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.