URLSCAN on IIS6 config

TheMSsForum.com: The Microsoft Software Forum

I am having some problems getting URLScan 2.5 running
properly on IIS6. I can't get the default doc to display
unless it is written out in the url. If I remove urlscan
from the server it is okay. The urlscan logs looks like
it is seeing a . in the url and rejecting the request
there is obviously no period in the url

Help please

Mike


http://ricweb3/default.asp output: Boo

http://ricweb3/ output: The system cannot find the file
specified.

code in default.asp
<%
response.write "Boo"
%>

----------------------------------------------------
From urlscanlog:
[06-04-2004 - 09:08:20] Client at xxx.xxx.xxx.xxx: URL
contains extension '.', which is not specifically allowed.
Request will be rejected. Site Instance='599050834', Raw
URL='/'



------------------------------------------------
urlscan.ini settings
UseAllowExtensions=1

[AllowExtensions]
;
; Extensions listed here are commonly used on a typical
IIS server.
;
; Note that these entries are effective
if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

.htm
.html
.txt
.jpg
.jpeg
.gif
.asp
------------------------------------------
Top

URLSCAN on IIS6 config by Mike

Mike
Fri Jun 04 09:25:22 CDT 2004

Looks like I need a "." in the allow extensions settings
for the default document to run.

Mike


>-----Original Message-----
>I am having some problems getting URLScan 2.5 running
>properly on IIS6. I can't get the default doc to display
>unless it is written out in the url. If I remove urlscan
>from the server it is okay. The urlscan logs looks like
>it is seeing a . in the url and rejecting the request
>there is obviously no period in the url
>
>Help please
>
>Mike
>
>
>http://ricweb3/default.asp output: Boo
>
>http://ricweb3/ output: The system cannot find the file
>specified.
>
>code in default.asp
><%
>response.write "Boo"
>%>
>
>----------------------------------------------------
>From urlscanlog:
>[06-04-2004 - 09:08:20] Client at xxx.xxx.xxx.xxx: URL
>contains extension '.', which is not specifically
allowed.
>Request will be rejected. Site Instance='599050834', Raw
>URL='/'
>
>
>
>------------------------------------------------
>urlscan.ini settings
>UseAllowExtensions=1
>
>[AllowExtensions]
>;
>; Extensions listed here are commonly used on a typical
>IIS server.
>;
>; Note that these entries are effective
>if "UseAllowExtensions=1"
>; is set in the [Options] section above.
>;
>
>..htm
>..html
>..txt
>..jpg
>..jpeg
>..gif
>..asp
>------------------------------------------
>
>.
>
Top

Re: URLSCAN on IIS6 config by David

David
Sat Jun 05 07:10:36 CDT 2004

URLScan isn't rejecting it based on ".", it's rejecting the URL because you
required all URLs to have extensions (access to / is not counted as an
extension due to how URLScan interacts with IIS)

I suggest you reconsider the use of the "AllowExtensions" feature of URLScan
on IIS6 because it is not as good as the built-in support of IIS6.

See this URL for a comparison.
http://www.microsoft.com/technet/security/tools/urlscan.mspx

On IIS6, Web Service Extensions allow you control of which binaries can
execute (and also the extensions that they are scriptmapped to). MIME Type
Restriction allow you control of which static file can be downloaded.

In other words, it is impossible to do the following things with URLScan,
but it is easy with IIS6's built-in support:
1. Allow only foo.exe to run but not bar.exe or any other EXE
2. Allow the default document (whatever its extension) to execute but not
allow an extension-less URL to be executed or downloaded
3. Allow URLs with dots in them to be browsable, yet still block particular
URLs with dots in them.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Mike D" <anonymous@discussions.microsoft.com> wrote in message
news:184cb01c44a3f$c544ec00$a101280a@phx.gbl...
Looks like I need a "." in the allow extensions settings
for the default document to run.

Mike


>-----Original Message-----
>I am having some problems getting URLScan 2.5 running
>properly on IIS6. I can't get the default doc to display
>unless it is written out in the url. If I remove urlscan
>from the server it is okay. The urlscan logs looks like
>it is seeing a . in the url and rejecting the request
>there is obviously no period in the url
>
>Help please
>
>Mike
>
>
>http://ricweb3/default.asp output: Boo
>
>http://ricweb3/ output: The system cannot find the file
>specified.
>
>code in default.asp
><%
>response.write "Boo"
>%>
>
>----------------------------------------------------
>From urlscanlog:
>[06-04-2004 - 09:08:20] Client at xxx.xxx.xxx.xxx: URL
>contains extension '.', which is not specifically
allowed.
>Request will be rejected. Site Instance='599050834', Raw
>URL='/'
>
>
>
>------------------------------------------------
>urlscan.ini settings
>UseAllowExtensions=1
>
>[AllowExtensions]
>;
>; Extensions listed here are commonly used on a typical
>IIS server.
>;
>; Note that these entries are effective
>if "UseAllowExtensions=1"
>; is set in the [Options] section above.
>;
>
>..htm
>..html
>..txt
>..jpg
>..jpeg
>..gif
>..asp
>------------------------------------------
>
>.
>


Top