Allowing only needed verbs

Hello there

i'm a newbie security and need your help guys

i need only to enable in my website the verbs that will be needed and
disable the uasge of any other,,, Asuming i want only to use GET
method, i need to prohibit POST and HEAD and all other methods

any idea guys, how can i do so????

Scherbina
Thu Jul 13 05:00:38 CDT 2006

What web-server do you use?

--
Vladimir


<Developer.Man4@gmail.com> wrote in message
news:1152783173.517748.29660@m79g2000cwm.googlegroups.com...
> Hello there
>
> i'm a newbie security and need your help guys
>
> i need only to enable in my website the verbs that will be needed and
> disable the uasge of any other,,, Asuming i want only to use GET
> method, i need to prohibit POST and HEAD and all other methods
>
> any idea guys, how can i do so????
>

S
Thu Jul 13 05:02:38 CDT 2006

Could do that with ISA Server... But I think that would be just redundant
hardening provided properly locked down Web server.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-


<Developer.Man4@gmail.com> wrote in message
news:1152783173.517748.29660@m79g2000cwm.googlegroups.com...
> Hello there
>
> i'm a newbie security and need your help guys
>
> i need only to enable in my website the verbs that will be needed and
> disable the uasge of any other,,, Asuming i want only to use GET
> method, i need to prohibit POST and HEAD and all other methods
>
> any idea guys, how can i do so????
>

Developer
Thu Jul 13 05:10:51 CDT 2006

i'm using IIs 6.0
and windows server 2003

Scherbina Vladimir wrote:
> What web-server do you use?
>
> --
> Vladimir
>
>
> <Developer.Man4@gmail.com> wrote in message
> news:1152783173.517748.29660@m79g2000cwm.googlegroups.com...
> > Hello there
> >
> > i'm a newbie security and need your help guys
> >
> > i need only to enable in my website the verbs that will be needed and
> > disable the uasge of any other,,, Asuming i want only to use GET
> > method, i need to prohibit POST and HEAD and all other methods
> >
> > any idea guys, how can i do so????
> >

Developer
Thu Jul 13 05:37:21 CDT 2006

i found something in IIS Manager called Application mapping, does this
help?? else i wonder what is it used for??
thank you for all ur effort

Developer.Man4@gmail.com wrote:
> i'm using IIs 6.0
> and windows server 2003
>
> Scherbina Vladimir wrote:
> > What web-server do you use?
> >
> > --
> > Vladimir
> >
> >
> > <Developer.Man4@gmail.com> wrote in message
> > news:1152783173.517748.29660@m79g2000cwm.googlegroups.com...
> > > Hello there
> > >
> > > i'm a newbie security and need your help guys
> > >
> > > i need only to enable in my website the verbs that will be needed and
> > > disable the uasge of any other,,, Asuming i want only to use GET
> > > method, i need to prohibit POST and HEAD and all other methods
> > >
> > > any idea guys, how can i do so????
> > >

karl
Thu Jul 13 06:58:42 CDT 2006

Google gives you the answer:

http://www.google.com/search?q=windows%2Dserver%2D2003+http+verbs
http://www.serverwatch.com/tutorials/article.php/3104921
http://www.microsoft.com/technet/security/tools/urlscan.mspx#EXE
Configuring URLScan -
http://support.microsoft.com/?kbid=326444

Microsoft created the free URLScan tool which can block HTTP verbs by
editing either the [allowverbs] or the [denyverbs] section of the
urlscan.ini configuration file. Microsoft ported the functionality of
URLScan that they decided was important over to IIS 6. They decided in IIS
6 to give you the ability to disable WebDAV, and that that was roughly
equivalent. I'm not sure I agree with this logic. I think Microsoft tries
to think outside the box regarding what security countermeasures customers
really need [outbound-only firewall filtering, for example], and I think it
often creates more work for them and for customers down the line when
customers disagree.

If you feel you need to be able to granularly block HTTP verbs, then you
would need to download, install and configure URLScan. From fellow MVP Tom
Shinder:

http://www.isaserver.org/img/upl/alfkit/5urlscan/5urlscan.htm

"HTTP 1.1 verbs include GET, POST, PUT, HEAD, DELETE, and OPTIONS. WebDAV
verbs are an extension of HTTP 1.1 verbs. Some of these verbs are COPY,
LOCK, MOVE, PROPFIND, PROPPATCH, SEARCH, and others."

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info


<Developer.Man4@gmail.com> wrote in message
news:1152787041.405892.312230@75g2000cwc.googlegroups.com...
>i found something in IIS Manager called Application mapping, does this
> help?? else i wonder what is it used for??
> thank you for all ur effort
>
> Developer.Man4@gmail.com wrote:
>> i'm using IIs 6.0
>> and windows server 2003
>>
>> Scherbina Vladimir wrote:
>> > What web-server do you use?
>> >
>> > --
>> > Vladimir
>> >
>> >
>> > <Developer.Man4@gmail.com> wrote in message
>> > news:1152783173.517748.29660@m79g2000cwm.googlegroups.com...
>> > > Hello there
>> > >
>> > > i'm a newbie security and need your help guys
>> > >
>> > > i need only to enable in my website the verbs that will be needed and
>> > > disable the uasge of any other,,, Asuming i want only to use GET
>> > > method, i need to prohibit POST and HEAD and all other methods
>> > >
>> > > any idea guys, how can i do so????
>> > >
>

Roger
Thu Jul 13 10:16:34 CDT 2006

"karl levinson, mvp" <levinson_k@securityadmin.info> wrote in message
news:%23WsjvOnpGHA.4812@TK2MSFTNGP04.phx.gbl...

> . . . They decided in IIS 6 to give you the ability to disable WebDAV,
> and that that was roughly equivalent. I'm not sure I agree with this
> logic. I think Microsoft tries to think outside the box regarding what
> security countermeasures customers really need [outbound-only firewall
> filtering, for example], and I think it often creates more work for them
> and for customers down the line when customers disagree.
>

I tend to heartily agree with this assessment, as there is a very long
history of such one could parade.

Roger