How to use URLScan with FrontPage 2002 (318290)
The information in this article applies to:
- FrontPage 2002 Server Extensions from Microsoft
- SharePoint Team Services from Microsoft
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Services version 5.1
This article was previously published under Q318290
For a Microsoft FrontPage 2000 version of this article, see 309394.
For a Microsoft FrontPage 2003 version of this
article, see
825538. IN THIS TASKSUMMARY Use this step-by-step guide to install and configure the
URLScan utility for Microsoft Internet Information Services (IIS). You can
download URLScan from the Microsoft Web site by using the steps in this
article. After you install URLScan, your Web server will be more
secure.
back to the top
Downloading And Installing URLScan To install new software and be able to stop or restart Web
services, you need to be logged on to your Web server. Therefore, to install
the URLScan utility, log on to your Web server as an administrator, and then
follow these steps:
- Download the URLScan utility. To do this, visit the
following Microsoft Web site:
- Click Download Now.
- Click Save this program to disk, and then
click OK.
- Choose your Desktop as the location to save the file, and
then click Save.
- Quit your browser.
- Double-click the Urlscan.exe file.
- Read the End-user License Agreement (EULA). If you accept
the terms of the EULA, click Yes.
- If you are prompted to restart IIS, click Yes.
- If you receive a message telling you that installation is
completed, click OK.
back to the top
Modifying the Default URLScan Configuration File Because the default configuration for URLScan may interfere with
FrontPage functionality, you need to make changes that allow FrontPage to work
correctly and yet deny access to sensitive FrontPage files. These steps are
only a suggestion. For additional information about settings for URLScan, see
the " References" section later in
this article.
- Right-click the Start menu, and then click Explore. Locate the following folder:
%windir%\system32\inetsrv\urlscan
where %windir% is your Windows folder
(for example, C:\Windows or C:\Winnt). - Right-click the Urlscan.ini file, and then click Copy. Right-click in the folder, and then click Paste. A copy of the
file named, Copy of Urlscan.ini is created.
- Double-click the Urlscan.ini file. The file opens in Notepad.
- Make the following changes:
- In the [options] section, set the following values:
[options]
UseAllowVerbs=1 ; use the [AllowVerbs] section
UseAllowExtensions=0 ; use the [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; canonicalize URL before processing
VerifyNormalization=1 ; canonicalize URL twice, reject on change
AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters
AllowDotInPath=0 ; deny dots in path
EnableLogging=1 ; log activity
PerDayLogging=1 ; change log files daily
PerProcessLogging=0 ; do not change log files by process ID
RemoveServerHeader=0 ; do not remove "Server" header
AlternateServerName=
UseFastPathReject=0 ; use RejectResponseUrl or log the request
RejectResponseUrl=
AllowLateScanning=1 ; allow URLScan to be loaded low priority
- In the [AllowVerbs] section, use the following values
only. Do not include other values.
[AllowVerbs]
GET ; allow GET (most Web requests)
HEAD ; allow HEAD requests
OPTIONS ; allow OPTIONS (Web Folders need this)
POST ; allow POST (FPSE and HTML forms need this)
- In the [DenyHeaders] section, use the following values
only. Do not include other values.
[DenyHeaders]
If: ; deny (used with WebDAV)
Lock-Token: ; deny (used with WebDAV)
- In the [DenyExtensions] section set the following
values:
[DenyExtensions]
.asa ; deny active server application definition files
.bat ; deny batch files
.btr ; deny FrontPage dependency files
.cer ; deny x509 certificate files
.cdx ; deny dynamic channel definition files
.cmd ; deny batch files
.cnf ; deny FrontPage metadata files
.com ; deny server command-line applications
.dat ; deny data files
.evt ; deny Event Viewer logs
.exe ; deny server command-line applications
.htr ; deny IIS legacy HTML admin tool
.htw ; deny Index Server hit-highlighting
.ida ; deny Index Server legacy HTML admin tool
.idc ; deny IIS legacy database query files
.inc ; deny include files
.ini ; deny configuration files
.ldb ; deny Microsoft Access Record-Locking Information files
.log ; deny log files
.pol ; deny policy files
.printer ; deny Internet Printing Services
.sav ; deny backup registry files
.shtm ; deny IIS Server Side Includes
.shtml ; deny IIS Server Side Includes
.stm ; deny IIS Server Side Includes
.tmp ; deny temporary files
- In the [DenyUrlSequences] section, set the following
values:
[DenyUrlSequences]
.. ; deny directory traversals
./ ; deny trailing dot on a directory name
\ ; deny backslashes in URL
: ; deny alternate stream access
% ; deny escaping after normalization
& ; deny multiple CGI processes to run on a single request
/fpdb/ ; deny browse access to FrontPage database files
/_private ; deny FrontPage private files (often form results)
/_vti_pvt ; deny FrontPage Web configuration files
/_vti_cnf ; deny FrontPage metadata files
/_vti_txt ; deny FrontPage text catalogs and indices
/_vti_log ; deny FrontPage authoring log files
- Because these settings do not use the [DenyVerbs] and
[AllowExtensions] sections, no settings for these sections are included in this
article.
For additional information about these sections of the configuration file,
click the following article number to view the article in the Microsoft
Knowledge Base:
- Save the file and quit Notepad.
back to the top
Changing The URLScan Priority (Optional) The default priority for the URLScan utility in IIS is high. A
high priority may interfere with other Internet Server Application Programming
Interface (ISAPI) filters that need to perform tasks before URLScan is called.
The FrontPage Server Extensions (Fpexedll.dll) ISAPI filter is one such filter.
Although the information in this section explains how to configure URLScan to
load after the Fpexedll.dll ISAPI filter, you can easily adapt this procedure
to configure URLScan with other ISAPI filters. For more information, refer to
the documentation for the ISAPI filter you are using. NOTE: Before you can complete the following procedure, you need to
correctly set the AllowLateScanning=1 setting in the Urlscan.ini file to load
URLScan as a low priority filter. To do this, follow the procedure in the
" Modifying the Default URLScan Configuration
File" section earlier in this article.
- Start the Internet Services Manager. To do this, follow the
steps appropriate to your version of IIS:
- In IIS 4.0:
- On the Windows Start menu, point to Programs, and then click Windows NT 4.0 Option
Pack.
- Click Microsoft Internet Information Server.
- Select Internet Service Manager.
- In IIS 5.0:
- On the Windows Start menu, point to Programs, and then click Administrative Tools.
- Select Internet Services Manager.
- In IIS 5.1:
- On the Windows Start menu, click Control Panel.
- Double-click Administrative Tools.
- Double-click Internet Information Services.
- Right-click your server name, and then click Properties.
- Select the WWW Service master properties option, and then click the Edit button.
- Click the ISAPI Filters tab.
- Click UrlScan, and then click the Down button to move UrlScan below Fpexedll.dll.
- Click OK.
- Click OK again.
back to the top
Restarting IIS to Update URLScan When IIS starts, URLScan is loaded into memory and reads the
settings in the Urlscan.ini file. Therefore, you need to restart IIS so that
the new configuration settings take effect. To do this, follow the steps
appropriate to your version of IIS:
- In IIS 4.0:
- At a command prompt, type the following command:
NET STOP "IIS Admin Service" /Y - If you see several dependant services listed as they
are stopped, write down the names so that you can restart these services
later.
- When you see the following message
The IIS Admin Service service was stopped successfully.
restart each IIS service by name. To do this, type the following
commands at the command prompt, pressing ENTER after each line:
NET START "World Wide Web Publishing Service"
NET START "Simple Mail Transport Protocol (SMTP)"
NET START "FTP Publishing Service"
- Quit the command prompt.
- In IIS 5.0:
- Right-click My Computer, and then click Restart IIS.
- Click Restart Internet Services on
Your Computer.
- Click OK.
- In IIS 5.1:
- Right-click My Computer, point to All Tasks, and then click Restart IIS.
- Click Restart Internet Services on
Your Computer.
- Click OK.
For additional information about restarting IIS
services, click the article numbers below to view the articles in the Microsoft
Knowledge Base: 185382 How to Manually Stop or Start the Inetinfo Process
236166 Using NET STOP and NET START Commands to Force IIS Services to Re-Read the Registry
202013 Internet Information Services 5.0 Command-Line Syntax for Iisreset.exe
back to the top
TROUBLESHOOTING- The settings listed in the "Modifying the Default URLScan Configuration" section
earlier in this article specify the EnableLogging=1 setting in the [Options]
section of the Urlscan.ini file. This allows URLScan to keep a running log of
all URLScan activity. This log file is saved in the same folder as the
Urlscan.dll file. If you encounter any difficulties with FrontPage or other IIS
functionality while URLScan is enabled, review the most recent entries in the
log file for information about what requests are being rejected.
- If you make further changes to the Urlscan.ini file, create
copies of the existing Urlscan.ini file naming the files Urlscan.001,
Urlscan.002, and so on, so that you have a history of the changes you have
made. This helps prevent losing a good configuration when attempting to
implement a new security configuration.
- If changes you make to URLScan do not seem to take effect,
repeat the procedure to restart the IIS services. If the changes still do not
take effect, reboot your Web server.
back to the top
REFERENCES For additional information about
installing and configuring the URLScan utility, click the following article
numbers to view the articles in the Microsoft Knowledge Base: 307976 FP: Error Message When You Use FrontPage with URLScan
309508 IIS lockdown and URLscan configurations in an Exchange environment
Modification Type: | Minor | Last Reviewed: | 10/5/2004 |
---|
Keywords: | kbConfig kbsetup kbHOWTOmaster KB318290 |
---|
|