Microsoft KB Archive/318290

= How to use URLScan with FrontPage 2002 =

Article ID: 318290

Article Last Modified on 2/19/2007

-

APPLIES TO


 * Microsoft FrontPage 2002 Server Extensions
 * Microsoft SharePoint Team Services
 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



This article was previously published under Q318290







For a Microsoft FrontPage 2000 version of this article, see 309394.



For a Microsoft FrontPage 2003 version of this article, see 825538.

IN THIS TASK
SUMMARY
 * Downloading and Installing URLScan
 * Modifying the Default URLScan Configuration
 * Changing the URLScan Priority (Optional)
 * Restarting IIS to Update URLScan

TROUBLESHOOTING REFERENCES



SUMMARY
Use this step-by-step guide to install and configure the URLScan utility for Microsoft Internet Information Services (IIS). You can download URLScan from the Microsoft Web site by using the steps in this article. After you install URLScan, your Web server will be more secure.

back to the top

Downloading And Installing URLScan
To install new software and be able to stop or restart Web services, you need to be logged on to your Web server. Therefore, to install the URLScan utility, log on to your Web server as an administrator, and then follow these steps:  Download the URLScan utility. To do this, visit the following Microsoft Web site:

URLScan Security Tool

 Click Download Now. Click Save this program to disk, and then click OK. Choose your Desktop as the location to save the file, and then click Save. Quit your browser.</li> Double-click the Urlscan.exe file.</li> Read the End-user License Agreement (EULA). If you accept the terms of the EULA, click Yes.</li> If you are prompted to restart IIS, click Yes.</li> If you receive a message telling you that installation is completed, click OK.</li></ol>

back to the top

Modifying the Default URLScan Configuration File
Because the default configuration for URLScan may interfere with FrontPage functionality, you need to make changes that allow FrontPage to work correctly and yet deny access to sensitive FrontPage files. These steps are only a suggestion. For additional information about settings for URLScan, see the &quot;References&quot; section later in this article. <ol> Right-click the Start menu, and then click Explore. Locate the following folder:

\system32\inetsrv\urlscan

where  is your Windows folder (for example, C:\Windows or C:\Winnt).</li> Right-click the Urlscan.ini file, and then click Copy. Right-click in the folder, and then click Paste. A copy of the file named, Copy of Urlscan.ini is created.</li> Double-click the Urlscan.ini file. The file opens in Notepad.</li> Make the following changes: <ol style="list-style-type: lower-alpha;">  In the [options] section, set the following values: <pre class="fixed_text">[options] UseAllowVerbs=1         ; use the [AllowVerbs] section UseAllowExtensions=0    ; use the [DenyExtensions] section NormalizeUrlBeforeScan=1 ; canonicalize URL before processing VerifyNormalization=1   ; canonicalize URL twice, reject on change AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters AllowDotInPath=0        ; deny dots in path EnableLogging=1         ; log activity PerDayLogging=1         ; change log files daily PerProcessLogging=0     ; do not change log files by process ID RemoveServerHeader=0     ; do not remove &quot;Server&quot; header AlternateServerName= UseFastPathReject=0     ; use RejectResponseUrl or log the request RejectResponseUrl= AllowLateScanning=1     ; allow URLScan to be loaded low priority </li>  In the [AllowVerbs] section, use the following values only. Do not include other values. <pre class="fixed_text">[AllowVerbs] GET    ; allow GET (most Web requests) HEAD   ; allow HEAD requests OPTIONS ; allow OPTIONS (Web Folders need this) POST   ; allow POST (FPSE and HTML forms need this) </li>  In the [DenyHeaders] section, use the following values only. Do not include other values. <pre class="fixed_text">[DenyHeaders] If:        ; deny (used with WebDAV) Lock-Token: ; deny (used with WebDAV) </li>  In the [DenyExtensions] section set the following values: <pre class="fixed_text">[DenyExtensions] .asa    ; deny active server application definition files .bat    ; deny batch files .btr    ; deny FrontPage dependency files .cer    ; deny x509 certificate files .cdx    ; deny dynamic channel definition files .cmd    ; deny batch files .cnf    ; deny FrontPage metadata files .com    ; deny server command-line applications .dat    ; deny data files .evt    ; deny Event Viewer logs .exe    ; deny server command-line applications .htr    ; deny IIS legacy HTML admin tool .htw    ; deny Index Server hit-highlighting .ida    ; deny Index Server legacy HTML admin tool .idc    ; deny IIS legacy database query files .inc    ; deny include files .ini    ; deny configuration files .ldb    ; deny Microsoft Access Record-Locking Information files .log    ; deny log files .pol    ; deny policy files .printer ; deny Internet Printing Services .sav    ; deny backup registry files .shtm   ; deny IIS Server Side Includes .shtml  ; deny IIS Server Side Includes .stm    ; deny IIS Server Side Includes .tmp    ; deny temporary files </li>  In the [DenyUrlSequences] section, set the following values: <pre class="fixed_text">[DenyUrlSequences] ..        ; deny directory traversals ./        ; deny trailing dot on a directory name \         ; deny backslashes in URL
 * ; deny alternate stream access

%         ; deny escaping after normalization &         ; deny multiple CGI processes to run on a single request /fpdb/    ; deny browse access to FrontPage database files /_private ; deny FrontPage private files (often form results) /_vti_pvt ; deny FrontPage Web configuration files /_vti_cnf ; deny FrontPage metadata files /_vti_txt ; deny FrontPage text catalogs and indices /_vti_log ; deny FrontPage authoring log files </li> Because these settings do not use the [DenyVerbs] and [AllowExtensions] sections, no settings for these sections are included in this article. For additional information about these sections of the configuration file, click the following article number to view the article in the Microsoft Knowledge Base:

307608 Using URLScan on IIS

</li></ol> </li> Save the file and quit Notepad.</li></ol>

back to the top

Changing The URLScan Priority (Optional)
The default priority for the URLScan utility in IIS is high. A high priority may interfere with other Internet Server Application Programming Interface (ISAPI) filters that need to perform tasks before URLScan is called. The FrontPage Server Extensions (Fpexedll.dll) ISAPI filter is one such filter. Although the information in this section explains how to configure URLScan to load after the Fpexedll.dll ISAPI filter, you can easily adapt this procedure to configure URLScan with other ISAPI filters. For more information, refer to the documentation for the ISAPI filter you are using.

NOTE: Before you can complete the following procedure, you need to correctly set the AllowLateScanning=1 setting in the Urlscan.ini file to load URLScan as a low priority filter. To do this, follow the procedure in the &quot;Modifying the Default URLScan Configuration File&quot; section earlier in this article. <ol> Start the Internet Services Manager. To do this, follow the steps appropriate to your version of IIS: <ul> <li>In IIS 4.0: <ol style="list-style-type: lower-alpha;"> <li>On the Windows Start menu, point to Programs, and then click Windows NT 4.0 Option Pack.</li> <li>Click Microsoft Internet Information Server.</li> <li>Select Internet Service Manager.</li></ol> </li> <li>In IIS 5.0: <ol style="list-style-type: lower-alpha;"> <li>On the Windows Start menu, point to Programs, and then click Administrative Tools.</li> <li>Select Internet Services Manager.</li></ol> </li> <li>In IIS 5.1: <ol style="list-style-type: lower-alpha;"> <li>On the Windows Start menu, click Control Panel.</li> <li>Double-click Administrative Tools.</li> <li>Double-click Internet Information Services.</li></ol> </li></ul> </li> <li>Right-click your server name, and then click Properties.</li> <li>Select the WWW Service master properties option, and then click the Edit button.</li> <li>Click the ISAPI Filters tab.</li> <li>Click UrlScan, and then click the Down button to move UrlScan below Fpexedll.dll.</li> <li>Click OK.</li> <li>Click OK again.</li></ol>

back to the top

Restarting IIS to Update URLScan
When IIS starts, URLScan is loaded into memory and reads the settings in the Urlscan.ini file. Therefore, you need to restart IIS so that the new configuration settings take effect. To do this, follow the steps appropriate to your version of IIS: <ul> <li>In IIS 4.0: <ol style="list-style-type: lower-alpha;"> <li>At a command prompt, type the following command:

NET STOP &quot;IIS Admin Service&quot; /Y

</li> <li>If you see several dependant services listed as they are stopped, write down the names so that you can restart these services later.</li> <li>When you see the following message

The IIS Admin Service service was stopped successfully.

restart each IIS service by name. To do this, type the following commands at the command prompt, pressing ENTER after each line:

NET START &quot;World Wide Web Publishing Service&quot;

NET START &quot;Simple Mail Transport Protocol (SMTP)&quot;

NET START &quot;FTP Publishing Service&quot;

</li> <li>Quit the command prompt.</li></ol> </li> <li>In IIS 5.0: <ol style="list-style-type: lower-alpha;"> <li>Right-click My Computer, and then click Restart IIS.</li> <li>Click Restart Internet Services on .</li> <li>Click OK.</li></ol> </li> <li>In IIS 5.1: <ol style="list-style-type: lower-alpha;"> <li>Right-click My Computer, point to All Tasks, and then click Restart IIS.</li> <li>Click Restart Internet Services on .</li> <li>Click OK.</li></ol> </li></ul>

For additional information about restarting IIS services, click the article numbers below to view the articles in the Microsoft Knowledge Base:

185382 How to Manually Stop or Start the Inetinfo Process

236166 Using NET STOP and NET START Commands to Force IIS Services to Re-Read the Registry

202013 Internet Information Services 5.0 Command-Line Syntax for Iisreset.exe

back to the top

TROUBLESHOOTING

 * The settings listed in the &quot;Modifying the Default URLScan Configuration&quot; section earlier in this article specify the EnableLogging=1 setting in the [Options] section of the Urlscan.ini file. This allows URLScan to keep a running log of all URLScan activity. This log file is saved in the same folder as the Urlscan.dll file. If you encounter any difficulties with FrontPage or other IIS functionality while URLScan is enabled, review the most recent entries in the log file for information about what requests are being rejected.
 * If you make further changes to the Urlscan.ini file, create copies of the existing Urlscan.ini file naming the files Urlscan.001, Urlscan.002, and so on, so that you have a history of the changes you have made. This helps prevent losing a good configuration when attempting to implement a new security configuration.
 * If changes you make to URLScan do not seem to take effect, repeat the procedure to restart the IIS services. If the changes still do not take effect, reboot your Web server.

back to the top

<div class="references_section">