SUMMARY

Use this step-by-step guide to install and configure the URLScan utility for Microsoft Internet Information Services (IIS). You can download URLScan from the Microsoft Web site by using the steps in this article. After you install URLScan, your Web server will be more secure.

back to the top

Downloading and installing URLScan

To install new software and be able to stop or restart Web services, you must be logged on to your Web server. Therefore, to install the URLScan utility, log on to your Web server as an administrator. To obtain the URLScan utility, visit the following Microsoft Web site:

back to the top

Modifying the default URLScan configuration file

Because the default configuration for URLScan may interfere with FrontPage functionality, you need to make changes that allow FrontPage to work correctly and yet deny access to sensitive FrontPage files. These steps are only a suggestion. For additional information about settings for URLScan, see the "References" section later in this article.

1. Right-click Start, and then click Explore. Locate the following folder:

   %windir%\system32\inetsrv\urlscan

   where %windir% is your Windows folder (for example, C:\Windows or C:\Winnt).
2. Right-click the Urlscan.ini file, and then click Copy. Right-click in the folder, and then click Paste. A copy of the file named, Copy of Urlscan.ini is created.
3. Double-click the Urlscan.ini file. The file opens in Notepad.
4. Make the following changes:

   1. In the [options] section, set the following values:

      [options]
      UseAllowVerbs=1          ; use the [AllowVerbs] section
      UseAllowExtensions=0     ; use the [DenyExtensions] section
      NormalizeUrlBeforeScan=1 ; canonicalize URL before processing
      VerifyNormalization=1    ; canonicalize URL twice, reject on change
      AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters 
      AllowDotInPath=0         ; deny dots in path
      EnableLogging=1          ; log activity
      PerDayLogging=1          ; change log files daily
      PerProcessLogging=0      ; do not change log files by process ID
      RemoveServerHeader=0     ; do not remove "Server" header
      AlternateServerName=
      UseFastPathReject=0      ; use RejectResponseUrl or log the request
      RejectResponseUrl=
      AllowLateScanning=1      ; allow URLScan to be loaded low priority
                              

   2. In the [AllowVerbs] section, use the following values only. Do not include other values.

      [AllowVerbs]
      GET     ; allow GET (most Web requests)
      HEAD    ; allow HEAD requests
      OPTIONS ; allow OPTIONS (Web Folders need this)
      POST    ; allow POST (FrontPage Server Extensions and HTML forms need this)
                              

   3. In the [DenyHeaders] section, use the following values only. Do not include other values.

      [DenyHeaders]
      If:         ; deny (used with WebDAV)
      Lock-Token: ; deny (used with WebDAV)
                              

   4. In the [DenyExtensions] section set the following values:

      [DenyExtensions]
      .asa     ; deny active server application definition files
      .bat     ; deny batch files
      .btr     ; deny FrontPage dependency files
      .cer     ; deny x509 certificate files
      .cdx     ; deny dynamic channel definition files
      .cmd     ; deny batch files
      .cnf     ; deny FrontPage metadata files
      .com     ; deny server command-line applications
      .dat     ; deny data files
      .evt     ; deny Event Viewer logs
      .exe     ; deny server command-line applications
      .htr     ; deny IIS legacy HTML admin tool
      .htw     ; deny Index Server hit-highlighting
      .ida     ; deny Index Server legacy HTML admin tool
      .idc     ; deny IIS legacy database query files
      .inc     ; deny include files
      .ini     ; deny configuration files
      .ldb     ; deny Microsoft Access Record-Locking Information files
      .log     ; deny log files
      .pol     ; deny policy files
      .printer ; deny Internet Printing Services
      .sav     ; deny backup registry files
      .shtm    ; deny IIS Server Side Includes
      .shtml   ; deny IIS Server Side Includes
      .stm     ; deny IIS Server Side Includes
      .tmp     ; deny temporary files
                              

   5. In the [DenyUrlSequences] section, set the following values:

      [DenyUrlSequences]
      ..         ; deny directory traversals
      ./         ; deny trailing dot on a directory name
      \          ; deny backslashes in URL
      :          ; deny alternate stream access
      %          ; deny escaping after normalization
      &          ; deny multiple CGI processes to run on a single request
      /fpdb/     ; deny browse access to FrontPage database files
      /_private  ; deny FrontPage private files (often form results)
      /_vti_pvt  ; deny FrontPage Web configuration files
      /_vti_cnf  ; deny FrontPage metadata files
      /_vti_txt  ; deny FrontPage text catalogs and indices
      /_vti_log  ; deny FrontPage authoring log files
                              

   6. Because these settings do not use the [DenyVerbs] and [AllowExtensions] sections, no settings for these sections are included in this article. For more information about these sections of the configuration file, click the following article number to view the article in the Microsoft Knowledge Base:

      307608 Using URLScan on IIS

5. Save the file and quit Notepad.

back to the top

Changing the URLScan priority (optional)

The default priority for the URLScan utility in IIS is high. A high priority may interfere with other Internet Server Application Programming Interface (ISAPI) filters that need to perform tasks before URLScan is called. The FrontPage Server Extensions (Fpexedll.dll) ISAPI filter is one such filter. Although the information in this section explains how to configure URLScan to load after the Fpexedll.dll ISAPI filter, you can easily adapt this procedure to configure URLScan with other ISAPI filters. For more information, refer to the documentation for the ISAPI filter you are using.

Note Before you can complete the following procedure, you need to correctly set the AllowLateScanning=1 setting in the Urlscan.ini file to load URLScan as a low priority filter. To do this, follow the procedure in the "Modifying the default URLScan configuration file" section earlier in this article.

1. Start the Internet Services Manager. To do this, follow the steps appropriate to your version of IIS:
   • In IIS 4.0:
     1. On the Windows Start menu, point to Programs, and then click Windows NT 4.0 Option Pack.
     2. Click Microsoft Internet Information Server.
     3. Select Internet Service Manager.
   • In IIS 5.0:
     1. On the Windows Start menu, point to Programs, and then click Administrative Tools.
     2. Select Internet Services Manager.
   • In IIS 5.1:
     1. On the Windows Start menu, click Control Panel.
     2. Double-click Administrative Tools.
     3. Double-click Internet Information Services.
2. Right-click My Computer, and then click Properties.
3. Select the WWW Service master properties option, and then click the Edit button.
4. Click the ISAPI Filters tab.
5. Click UrlScan, and then click the Down button to move UrlScan below Fpexedll.dll.
6. Click OK.
7. Click OK again.

back to the top

Restarting IIS to update URLScan

When IIS starts, URLScan is loaded into memory and reads the settings in the Urlscan.ini file. Therefore, you need to restart IIS so that the new configuration settings take effect. To do this, follow the steps appropriate to your version of IIS:

• In IIS 4.0:
  1. At a command prompt, type the following command:

     NET STOP "IIS Admin Service" /Y

  2. If you see several dependant services listed as they are stopped, write down the names so that you can restart these services later.
  3. When you see the following message

     The IIS Admin Service service was stopped successfully.

     restart each IIS service by name. To do this, type the following commands at the command prompt, pressing ENTER after each line:

     NET START "World Wide Web Publishing Service"
     NET START "Simple Mail Transport Protocol (SMTP)"
     NET START "FTP Publishing Service"
     NET START "IIS Host Helper Service"

  4. Quite the command prompt.
• In IIS 5.0:
  1. Right-click your server name, and then click Restart IIS.
  2. Click Restart Internet Services on Your Computer.
  3. Click OK.
• In IIS 5.1:
  1. Right-click My Computer, point to All Tasks, and then click Restart IIS.
  2. Click Restart Internet Services on Your Computer.
  3. Click OK.

For more information about restarting IIS services, click the following article numbers to view the articles in the Microsoft Knowledge Base:

back to the top

Troubleshooting

• The settings listed in the "Modifying the default URLScan configuration file" section earlier in this article specify the EnableLogging=1 setting in the [Options] section of the Urlscan.ini file. This allows URLScan to keep a running log of all URLScan activity. This log file is saved in the same folder as the Urlscan.dll file. If you encounter any difficulties with FrontPage or other IIS functionality while URLScan is enabled, review the most recent entries in the log file for information about what requests are being rejected.
• If you make further changes to the Urlscan.ini file, create copies of the existing Urlscan.ini file naming the files Urlscan.001, Urlscan.002, and so on, so that you have a history of the changes you have made. This helps prevent losing a good configuration when attempting to implement a new security configuration.
• If changes you make to URLScan do not seem to take effect, repeat the procedure to restart the IIS services. If the changes still do not take effect, reboot your Web server.

back to the top