Fine-tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment (823175)



The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition

SUMMARY

This article describes how to fine-tune the types of requests that Internet Information Services (IIS) 4.0 and later processes. This article also describes known issues that may occur when you use the Urlscan 2.5 security tool in Microsoft Exchange Server 2003. You can use the Urlscan tool to restrict the types of requests that Internet Information Services (IIS) 4.0 and later processes. After you install the Urlscan 2.5 tool, you can make changes to fine-tune how IIS handles requests and to help enhance the security of your computer. Some of the changes that are described in this article depend on the Exchange 2003 computer's role. For example, if your Exchange 2003 computers are dedicated to providing only Microsoft Outlook Web Access (OWA), public folder administration, or Web folders, you can remove settings that are not required for those respective services.

back to the top

MORE INFORMATION

During installation, the Urlscan tool assumes that multiple services are installed on a single Exchange Server 2003 computer. Therefore, to help enhance the security of the computer, you must edit the Urlscan.ini configuration file to remove any extraneous functionality. To customize the Urlscan.ini file for your particular Exchange 2003 computer role, you must remove verbs in the [AllowVerbs] section of the Urlscan.ini file. However, make sure that the recommended verbs for your computer's role are included to obtain appropriate functionality. If multiple Web-based features are required on a single computer, you must merge the appropriate [AllowVerbs] section requirements.

To edit the configuration file after you install the Urlscan tool, open the Urlscan.ini file. The Urlscan.ini file is located in the following folder on your Exchange Server 2003 computer:

WinDirWinDir\System32\Inetsrv\Urlscan

Note To download the Urlscan 2.5 tool, visit the following Microsoft Web site:You can modify the Urlscan.ini file based on the Exchange 2003 computer's role by using the information from the Exchange Server 2003 Urlscan template that is included in this article. If you want to use an existing Urlscan.ini file that you already modified for Exchange 2000, you can use your existing file. Change the file if you have to for your Exchange 2003 configuration.

Important After you modify the Urlscan.ini file, you must reset the IIS services. To do this, type IISRESET at a command prompt, and then press ENTER.

back to the top

Exchange Server 2003 Urlscan template

; Exchange 2003 Urlscan configuration for OWA, Outlook Mobile Access, Exchange ActiveSync, 
; remote procedure call over Hypertext Transfer Protocol, and Web Folders.
; Version 1.1
[options]
; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with URLScan installed may need to modify the "VerifyNormalization=1" 
; option in this template to be "VerifyNormalization=0" if they encounter a "404" error when attempting to open messages or items that contain 
; the "+" symbol in the subject or name.  
UseAllowExtensions=0          
NormalizeUrlBeforeScan=1      
VerifyNormalization=1         
AllowHighBitCharacters=1       
AllowDotInPath=1              
RemoveServerHeader=0          
EnableLogging=1         
PerProcessLogging=0        
AllowLateScanning=0        
PerDayLogging=1              
RejectResponseUrl=           
UseFastPathReject=1          
;LoggingDirectory=
LogLongUrls=0

[AllowVerbs]
; These are the only verbs that are permitted.
GET
POST
PROPFIND
PROPPATCH
BPROPPATCH
MKCOL
DELETE
BDELETE
BCOPY
MOVE
SUBSCRIBE
BMOVE
POLL
SEARCH
HEAD
PUT
OPTIONS
RPC_OUT_DATA 
RPC_IN_DATA 
X-MS-ENUMATTS 
LOCK
UNLOCK

[DenyVerbs]

[DenyHeaders]
;
; Request headers that are listed in this section cause Urlscan to
; reject any request where these request headers are present.
;
; List headers in the form
; Header-Name:
transfer-encoding:

[AllowExtensions]
;.asp
.cer
.cdx
.asa
.htm
.html
.txt
.jpg
.jpeg
.gif

[DenyExtensions]
; Deny executable files that might run on the server.
; DO NOT include .exe in this list if Exchange 2003 OWA is configured to use SMIME as that would disable OWA.
.exe
.bat
.cmd
.com

; Deny scripts that are used infrequently.
.htw     ; Maps to webhits.dll, part of Index Server.
.ida     ; Maps to idq.dll, part of Index Server.
.idq     ; Maps to idq.dll, part of Index Server.
.htr     ; Maps to ism.dll, a previous administrative tool.
.idc     ; Maps to httpodbc.dll, a previous database access tool.
.shtm    ; Maps to ssinc.dll for server-side includes.
.shtml   ; Maps to ssinc.dll for server-side includes.
.stm     ; Maps to ssinc.dll for server-side includes.
.printer ; Maps to msw3prt.dll for Internet printing services.

; Deny various static files.
.ini     ; Configuration files
.log     ; Log files
.pol     ; Policy files
.dat     ; Configuration files

; Deny extensions for Outlook Mobile Access.
.asax
.ascs
.config
.cs
.csproj
.licx
.pdb
.resx
.resources
.vb
.vbproj
.vsdisco
.webinfo
.xsd
.xsx
; .dll ; Cannot do this for RPC over HTTP or for Exchange ActiveSync.

[DenyUrlSequences]
..  ; Do not permit directory traversals.
./  ; Do not permit trailing dot on a directory name.
\   ; Do not permit backslashes in URL.
%   ; Do not permit escaping after normalization.
&   ; Do not permit multiple Common Gateway Interface processes to run on a single request.

[RequestLimits]
MaxAllowedContentLength=1073741824 
MaxUrl=16384
MaxQueryString=4096

back to the top

Fine-tune Exchange Server 2003

General settings

  • Deny Extensions. You can add the .dll extension to the [DenyExtensions] section if remote procedure call (RPC) over Hypertext Transfer Protocol (HTTP) is not used on the computer.
back to the top

Outlook Web Access

The following is a list of verbs that are required in the [AllowVerbs] section for Outlook Web Access (OWA), when you configure OWA as a Web-based feature on a front-end computer or a back-end computer:
  • GET
  • POST
  • SEARCH
  • POLL
  • PROPFIND
  • BMOVE
  • BCOPY
  • SUBSCRIBE
  • MOVE
  • PROPPATCH
  • BPROPPATCH
  • DELETE
  • BDELETE
  • MKCOL
  • COPY
  • OPTIONS
  • PUT
back to the top

Outlook Mobile Access

The following is a list of verbs that are required in the [AllowVerbs] section for Outlook Mobile Access, when you configure Outlook Mobile Access as a Web-based feature on a front-end computer:
  • GET
  • POST
  • HEAD
The following is a list of verbs that are required in the [AllowVerbs] section for Outlook Mobile Access, when you configure Outlook Mobile Access as a Web-based feature on a back-end computer:
  • PROPFIND
  • PROPPATCH
  • DELETE
  • MOVE
  • SEARCH
  • HEAD
  • X-MS-ENUMATTS
back to the top

Exchange Server ActiveSync

The following is a list of verbs that are required in the [AllowVerbs] section for Exchange Server ActiveSync when you configure Exchange ActiveSync as a Web-based feature on a front-end computer:
  • POST
  • OPTIONS
  • SUBSCRIBE
  • UNSUBSCRIBE
The following is a list of verbs that are required in the [AllowVerbs] section for Exchange Server ActiveSync when you configure ActiveSync as a Web-based feature on a back-end computer:
  • GET
  • POST
  • PROPFIND
  • PROPPATCH
  • MKCOL
  • DELETE
  • MOVE
  • BMOVE
  • SEARCH
  • PUT
  • OPTIONS
  • X-MS-ENUMATTS
  • SUBSCRIBE
  • UNSUBSCRIBE
back to the top

Remote Procedure Call over Hypertext Transfer Protocol

The following is a list of verbs that are required in the [AllowVerbs] section for RPC over HTTP:
  • RPC_OUT_DATA
  • RPC_IN_DATA
back to the top

Web folders

The following is a list of verbs that are required in the [AllowVerbs] section for Web folders:
  • GET
  • PROPFIND
  • MOVE
  • BCOPY
  • DELETE
  • BDELETE
  • MKCOL
  • OPTIONS
  • LOCK
  • UNLOCK
  • PUT
Add the following to the Deny URL Sequences section:

[DenyUrlSequences]

:

back to the top

Public folder management

The following is a list of verbs that are required in the [AllowVerbs] section for public folder management:
  • HEAD
  • PROPFIND
  • SEARCH
  • PROPPATCH
  • DELETE
  • MKCOL
  • MOVE
  • COPY
  • OPTIONS
back to the top

Exchange Server 2003 Web-based feature request limits

The following table lists the request limits for each Web-based feature on an Exchange Server 2003 computer. You can customize the template to restrict request limits based on the computer's role. If multiple Web-based features are required on a single computer then you must use the highest request limits value.
[RequestLimits]OWAOutlook Mobile Access
Front-end
Outlook Mobile Access
Back-end
Exchange ActiveSync
Front-end
Exchange ActiveSync
Back-end
RPC over HTTP
MaxAllowedContentLength10,485,76010,485,76010,485,76065,53665,5361,073,741,824
MaxUrl16,38416,38416,3841,0241,02416,384
MaxQueryString4,0964,0964,0964,0964,0964,096

Note The MaxAllowedContentLength for OWA computers and Outlook Mobile Access back-end computers is based on a default maximum message size of 10 megabytes. You can change this setting based on your existing messaging size requirements.

back to the top

Entourage X with the Microsoft Exchange Update or Entourage 2004

The following is a list of verbs that are required in the [AllowVerbs] section for Entourage X with the Microsoft Exchange Update or Entourage 2004:
  • GET
  • POST
  • SEARCH
  • PUT
  • POLL
  • PROPFIND
  • SUBSCRIBE
  • MOVE
  • PROPPATCH
  • DELETE
  • MKCOL
  • LOCK
  • UNLOCK

back to the top

Known issues

The following sections describe known issues that you might experience and information about how to correct those issues. Each section refers to a component that may be affected and specifies the Urlscan.ini file section that you must modify.

Exchange ActiveSync

Exchange ActiveSync Primary SMTP address DenyExtensions By default, URLScan.ini removes .com extensions from any URL. If your Primary SMTP address has a.com extension in it, the SMTP address will fail. The stripped URL then causes the IIS 404 errors on the mailbox server. These IIS 404 errors are reported back as an internal server error 500. Exchange ActiveSync in SP2 uses similar log on functionality as Microsoft Outlook Web Access does.

Exchange Server ActiveSync in Microsoft Exchange Server 2003 Service Pack 2 (SP2) uses the user's full SMTP address instead of the mailbox alias when it builds the request to the /exchange virtual directory.

back to the top

General settings

  • AllowDotInPath. Verify that the AllowDotInPath setting is set to 1 to make sure that OWA attachments can be accessed and that earlier-version browsers can use OWA. Earlier-version browsers include Microsoft Internet Explorer 5 for Macintosh and earlier, Microsoft Internet Explorer 4.x for Windows 95 and earlier, Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 98 and earlier, and Netscape Navigator.

    This issue also affects public folder management. Public folder management uses HTTP Distributed Authoring and Versioning (DAV) in a way that is similar to OWA. You must make this change to any servers that contain public folder stores. You do not have to make this change on computers that administer these folders unless public folder stores exist on those computers.
back to the top

Outlook Web Access

  • File Extensions. By default, .htr files are not enabled. If this file type is not enabled, the OWA Change Password feature does not function when OWA is installed on a Windows 2000-based computer. If you run Exchange Server 2003 (or Exchange 2000) on a Windows 2000 Service Pack 4-based computer, you can enable the .htr extension. On Windows 2000 Service Pack 4 the .htr files are associated with Asp.dll instead of Ism.dll.

    Note If OWA is installed on a Windows Server 2003-based computer, OWA uses the IIS 6.0 Active Server Pages (ASP) change password program. Therefore, OWA is not affected by .htr files that are not enabled.

    For more information about how to hide the Change Password option in OWA, click the following article number to view the article in the Microsoft Knowledge Base:

    297121 Implementing the Change Password feature with Outlook Web Access

  • DenyUrlSequences. In the [DenyUrlSequences] section, sequences that are explicitly blocked can potentially affect access to OWA. Any mail item subject or mail folder name that contains any one of the following character sequences is denied access:
    • ..
    • ./
    • \
    • %
    • &
    For example, the following folder does not work because the Projects mailbox folder contains a trailing period. The trailing period causes the folder to be excluded because of the explicit deny for the ./ sequence:

    /Server/Exchange/My Folders/Projects./Costings.eml

    The following folder also does not work, because the explicit deny of the .. sequence prevents directory traversals:

    /Server/Exchange/Inbox/My .. message.eml

    If you experience any additional issues when you try to make OWA requests with Urlscan enabled, check the Urlscan log files for the list of requests that are rejected. The following is the default location of the Urlscan log files:

    WinDir\System32\Inetsrv\Urlscan\logs

    By default, in the [DenyUrlSequences] section, escaping ("% ; Do not permit escaping after normalization.") is disabled. However, this setting does not work for OWA when the mail subject contains Cyrillic characters (or any other character that appears as %character).
  • DenyHeaders. If clients connect to an Exchange server by using Outlook Web Access or Entourage, the Lock-Token header will not be present in the [DenyHeaders] section of the URLscan.ini file.

    If the Lock-Token header is set to deny, you may experience the following issues:
    • Hundreds or thousands of connections may be seen from each Entourage client.
    • Outlook Web Access may stop accepting connections.
    • Because of the amount of connections, virtual memory problems may start to occur.
    • The following message may be logged in URLSCAN.log: [06-24-2005 - 00:02:27] Client at XXX.XX.XXX.XX: URL contains disallowed header 'lock-token:' Request will be rejected. Site Instance='1', Raw URL='/exchange/test/Inbox/Costings.EML/XXXXXXXX
    For more information, visit the following Microsoft Web site:
back to the top

Public folder management

  • DenyExtensions. You must remove .com in the [DenyExtensions] section of the Urlscan.ini list if your internal Domain Name System (DNS) is based on the .com naming convention.
back to the top

REFERENCES

For more information about known issues and fine tuning when you use the IIS Lockdown Wizard in an Exchange 2000 environment, click the following article number to view the article in the Microsoft Knowledge Base:

309677 Known issues and fine tuning when you use the IIS Lockdown Wizard in an Exchange 2000 Server environment



back to the top

Modification Type:MajorLast Reviewed:9/6/2006
Keywords:kbinfo KB823175 kbAudITPRO