MORE INFORMATION

Use this step-by-step guide to install and configure the URLScan tool for Microsoft Internet Information Services (IIS). You can download URLScan from the Web site by using the steps in this article. URLScan is designed to help your Web server be more secure.

Step 1: Download and install the IIS Lockdown Tool

URLScan is now part of the IIS Lockdown Tool. For more information about how to install the IIS Lockdown Tool, click the following article number to view the article in the Microsoft Knowledge Base:

Step 2: Modify the default URLScan configuration file

The default configuration for URLScan may interfere with Expression Web functionality. To enable Expression Web to work correctly and still deny access to sensitive Expression Web files, you must make the changes that this section describes.

To modify the default URLScan configuration file, follow these steps.

Note The following steps are an example of the changes that you must make. For more information about settings for the URLScan tool, see the "References" section.

1. Right-click the Start menu, click Explore, and then locate the following folder:

   %windir% \system32\inetsrv\urlscan

   Note %windir% is the Microsoft Windows folder, such as C:\Windows or C:\Winnt.
2. Right-click the Urlscan.ini file, and then click Copy.
3. Right-click the folder, and then click Paste. A copy of the file is created and is named "Copy of Urlscan.ini."
4. Double-click the Urlscan.ini file. The file opens in Notepad.
5. Make the following changes:

   1. In the [options] section, set the following values:

      [options] 
      UseAllowVerbs=1          ; use the [AllowVerbs] section 
      UseAllowExtensions=0     ; use the [DenyExtensions] section 
      NormalizeUrlBeforeScan=1 ; canonicalize URL before processing 
      VerifyNormalization=1    ; canonicalize URL twice, reject on change 
      AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters 
      AllowDotInPath=0         ; deny dots in path 
      EnableLogging=1          ; log activity 
      PerDayLogging=1          ; change log files daily 
      PerProcessLogging=0      ; do not change log files by process ID 
      RemoveServerHeader=0     ; do not remove"Server" header 
      AlternateServerName= 
      UseFastPathReject=0      ; use RejectResponseUrl or log the request 
      RejectResponseUrl= 
      AllowLateScanning=1      ; allow URLScan to be loaded low priority

   2. In the [AllowVerbs] section, use the following values only. Do not include other values.

      [AllowVerbs] 
      GET ; allow GET (most Web requests) 
      HEAD ; allow HEAD requests 
      OPTIONS ; allow OPTIONS (Web Folders need this) 
      POST ; allow POST (FPSE and HTML forms need this)

   3. In the [DenyHeaders] section, use the following values only. Do not include other values.

      [DenyHeaders] 
      If:         ; deny (used with WebDAV) 
      Lock-Token: ; deny (used with WebDAV)

   4. In the [DenyExtensions] section, set the following values:

      [DenyExtensions]
       .asa     ; deny active server application definition files
       .bat     ; deny batch files
       .btr     ; deny Expression Web  dependency files
       .cer     ; deny x509 certificate files
       .cdx     ; deny dynamic channel definition files
       .cmd     ; deny batch files
       .cnf     ; deny Expression Web  metadata files
       .com     ; deny server command-line applications
       .dat     ; deny data files
       .evt     ; deny Event Viewer logs
       .exe     ; deny server command-line applications
       .htr     ; deny IIS legacy HTML admin tool
       .htw     ; deny Index Server hit-highlighting
       .ida     ; deny Index Server legacy HTML admin tool
       .idc     ; deny IIS legacy database query files
       .inc     ; deny include files
       .ini     ; deny configuration files
       .ldb     ; deny Microsoft Access Record-Locking Information files
       .log     ; deny log files
       .pol     ; deny policy files
       .printer ; deny Internet Printing Services
       .sav     ; deny backup registry files
       .shtm    ; deny IIS Server Side Includes
       .shtml   ; deny IIS Server Side Includes
       .stm     ; deny IIS Server Side Includes
       .tmp     ; deny temporary files

   5. In the [DenyUrlSequences] section, set the following values:

      [DenyUrlSequences]
       ..        ; deny directory traversals
       ./        ; deny trailing dot on a directory name
       \         ; deny backslashes in URL
       :         ; deny alternate stream access
       %         ; deny escaping after normalization
       &         ; deny multiple CGI processes to run on a single request
       /fpdb/    ; deny browse access to Expression Web  database files
       /_private ; deny Expression Web  private files (often form results)
       /_vti_pvt ; deny Expression Web  Web configuration files
       /_vti_cnf ; deny Expression Web  metadata files
       /_vti_txt ; deny Expression Web  text catalogs and indices
       /_vti_log ; deny Expression Web  authoring log files

   Note Because these settings do not use the [DenyVerbs] and [AllowExtensions] sections, no settings for these sections are included in this article. For more information about these sections of the configuration file, click the following article number to view the article in the Microsoft Knowledge Base:

   307608 Using URLScan on IIS

6. Save the file, and then exit Notepad.

Step 3: Change the URLScan priority

Note This step is optional.

The default priority for the URLScan tool in IIS is "high." A high priority may interfere with other Internet Server API (ISAPI) filters that have to perform tasks before URLScan is called. The FrontPage Server Extensions (Fpexedll.dll) ISAPI filter is one such filter.

The information in this section explains how to configure URLScan to load after the Fpexedll.dll ISAPI filter. However, you can easily adapt this procedure to configure URLScan with other ISAPI filters. For more information, see the documentation for the ISAPI filter that you are using.

Note Before you can follow these steps, you must configure the "AllowLateScanning=1" setting in the Urlscan.ini file to load URLScan as a low priority filter. To do this, follow the steps in the "Step 2: Modify the default URLScan configuration file" section.

To change the URLScan priority, follow these steps:

1. Start the Internet Services Manager. To do this, follow these steps, as appropriate for the version of IIS that you are running.

   Microsoft Internet Information Services (IIS) 5.1

   1. In Windows, click Start, and then click Control Panel.
   2. Double-click Administrative Tools.
   3. Double-click Internet Information Services.

   Microsoft Internet Information Services (IIS) 6.0

   1. In Windows, click Start, and then point to Administrative Tools.
   2. Click Internet Information Services (IIS) Manager.
2. Right-click the server name, and then click Properties.
3. Click WWW Service master properties, and then click Edit.
4. Click the ISAPI Filters tab.
5. Click UrlScan, and then click Down to move UrlScan below Fpexedll.dll.
6. Click OK two times.

Step 4: Restart IIS to update URLScan

When IIS starts, URLScan loads in memory and reads the settings in the Urlscan.ini file. Therefore, you must restart IIS for the new configuration settings to take effect. To do this, follow these steps.

1. Right-click My Computer, point to All Tasks, and then click Restart IIS.
2. Click Restart Internet Services on Your Computer.
3. Click OK.

For more information about how to restart IIS services, click the following article number to view the article in the Microsoft Knowledge Base:

Troubleshooting information

• The settings that are listed in the "Step 2: Modify the default URLScan configuration file" section specify the "EnableLogging=1" setting in the [Options] section of the Urlscan.ini file. This setting enables URLScan to keep a running log of all URLScan activity. This log file is saved in the same folder as the Urlscan.dll file.
  

If you experience any difficulties with Expression Web or with other IIS functionality as long as URLScan is enabled, review the most recent entries in the log file for information about which requests are being rejected.

• If you make additional changes to the Urlscan.ini file, create copies of the existing Urlscan.ini file. Name the copied files Urlscan.001, Urlscan.002, and so on. Do this so that you have a history of the changes that you have made.
  

This practice can help prevent you from losing a good configuration when you try to implement a new security configuration.

• If the changes that you make to URLScan do not seem to take effect, repeat the procedure that is described in the "Step 4: Restart IIS to update URLScan" section. If the changes still do not take effect, restart the Web server.