Microsoft KB Archive/312376

= How To Configure URLScan to Allow Requests with a Null Extension in IIS =

Article ID: 312376

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



This article was previously published under Q312376



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



IN THIS TASK
SUMMARY
 * Introduction
 * Modify the Default URLScan Configuration File

REFERENCES



SUMMARY
This step-by-step article describes how to configure URLScan to allow null extension requests with Internet Information Services (IIS).

back to the top

Introduction
URLScan is an Internet Server Application Programming Interface (ISAPI) filter that screens and monitors HTTP requests for IIS. URLScan is used to reduce the exposure of IIS 4.0, IIS 5.0, and IIS 5.1 to potential Internet attacks.

URLScan protects a Web server from attacks by filtering and rejecting HTTP requests for selected IIS service applications. The default Urlscan.ini file is configured to accept only static HTML files, including graphic files, and to reject the following types of requests:
 * Common Gateway Interface (CGI) .exe pages
 * World Wide Web Distributed Authoring and Versioning (WebDAV)
 * FrontPage Server Extensions
 * Index Server
 * Internet printing
 * Server-side includes

If you have URLScan with version number 6.0.3574.0, you can configure URLScan to allow incoming URL requests with the null extension.

back to the top

Modify the Default URLScan Configuration File
To configure URLScan when it is installed on the IIS Web server, follow these steps:  Download the IIS Lockdown tool from the following Microsoft Web site and then save it to a local directory:

http://www.microsoft.com/technet/security/tools/locktool.mspx

 Unzip the IISlock.exe file and then unzip the Urlscan.exe file. The Urlscan folder is created. Paste the Urlscan folder in the %Windir%\System32\Inetsrv directory. Double-click the Urlscan folder under Inetsrv, and then open Urlscan.ini in Notepad.  In the Urlscan.ini file, be sure to enable UseAllowExtensions, as follows: [Option] UseAllowExtensions=1; if 1, use [AllowExtensions] section, else   Urlscan allows you to specify a null extension in the [AllowExtensions] section. To do this, add a period (.) in the [AllowExtensions] section, as follows: [AllowExtensions] . .asp .htm .html .txt .jpg .jpeg .gif  On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager, or open the custom Microsoft Management Console (MMC) that contains the IIS snap-in.</li> In the IIS MMC, expand the server computer name. Right-click the computer name and then click Properties. Click WWW Service and then click Edit.</li> On the ISAPI filters tab, click Add. Type urlscan as the file name. In the Executable text box, click Browse, and then select urlscan.dll from the %Windir%\System32\Inetsrv\Urlscan directory.</li> At an MS-DOS command prompt, run Net stop iisadmin, and then run Net start W3SVC to restart IIS Web services. Verify that Urlscan.dll is running without problems, and then move the Urlscan.dll ISAPI filter to the top position in the filter list.</li></ol>
 * Extensions listed here are commonly used on a typical IIS server.
 * Note that these entries are effective if &quot;UseAllowExtensions=1&quot;
 * is set in the [Option] section above.
 * Note that these entries are effective if &quot;UseAllowExtensions=1&quot;
 * is set in the [Option] section above.

back to the top

<div class="references_section">