How do I config URLSCAN to deny HTTP TRACE

TheMSsForum.com: The Microsoft Software Forum

Did a security audit on my Outlook Web Access server today and one of the
high risk vulnerabilities found claimed I should use URLSCAN to deny HTTP
TRACE requests. How do I do this? I've downloaded urltrace but I can't make
head nor tail of it - seems to be an .ini file needs editing, but what do i
put in??

Thanks in advance,

Paul.
Top

Re: How do I config URLSCAN to deny HTTP TRACE by Chris

Chris
Tue Jan 27 18:51:45 CST 2004

This article should be plenty for your understanding:

http://www.securityfocus.com/infocus/1755

Basically, you have to edit the [AllowVerbs] section of the .ini file to
only allow verbs your apps need - probably only GET, POST, and HEAD, unless
their fancy shcmancy.

Chris Weber


"Paul Kavanagh" <pkavanagh@ntlworld.com> wrote in message
news:e42ECxS5DHA.2740@TK2MSFTNGP09.phx.gbl...
> Did a security audit on my Outlook Web Access server today and one of the
> high risk vulnerabilities found claimed I should use URLSCAN to deny HTTP
> TRACE requests. How do I do this? I've downloaded urltrace but I can't
make
> head nor tail of it - seems to be an .ini file needs editing, but what do
i
> put in??
>
> Thanks in advance,
>
> Paul.
>
>


Top

Re: How do I config URLSCAN to deny HTTP TRACE by Paul

Paul
Tue Jan 27 19:51:29 CST 2004

luvvly jubbly, I'll give it a whirl and see how things pan out

thanks Chris

Paul.





"Chris Weber" <chris@dev.nul> wrote in message
news:%23EAr4jT5DHA.1664@TK2MSFTNGP11.phx.gbl...
> This article should be plenty for your understanding:
>
> http://www.securityfocus.com/infocus/1755
>
> Basically, you have to edit the [AllowVerbs] section of the .ini file to
> only allow verbs your apps need - probably only GET, POST, and HEAD,
unless
> their fancy shcmancy.
>
> Chris Weber
>
>
> "Paul Kavanagh" <pkavanagh@ntlworld.com> wrote in message
> news:e42ECxS5DHA.2740@TK2MSFTNGP09.phx.gbl...
> > Did a security audit on my Outlook Web Access server today and one of
the
> > high risk vulnerabilities found claimed I should use URLSCAN to deny
HTTP
> > TRACE requests. How do I do this? I've downloaded urltrace but I can't
> make
> > head nor tail of it - seems to be an .ini file needs editing, but what
do
> i
> > put in??
> >
> > Thanks in advance,
> >
> > Paul.
> >
> >
>
>


Top