DOC: URLScan AllowDotInPath Documentation Contains an Error (311116)


The information in this article applies to:

  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
This article was previously published under Q311116
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

The "URLScan" section of the IIS Lockdown Tool 2.0 documentation contains an explanation of the AllowDotInPath setting that is incorrect.

The AllowDotInPath documentation contains the following text, which is incorrect:

AllowDotInPath: Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan rejects any requests containing multiple instances of the dot (.) character. If set to 0, UrlScan does not perform this test.

The documentation should read:

AllowDotInPath: Allowed values are 0 or 1. Default is 0. If set to 0, UrlScan rejects any requests containing multiple instances of the dot (.) character. If set to 1, UrlScan does not perform this test.

MORE INFORMATION

Version 1.0 of the URLScan ISAPI filter contains a problem that causes FrontPage Server Extension requests to be rejected. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

307976 FP: Error When Using FrontPage With URLScan

Note that the resolution contained in this Knowledge Base article only applies to version 1.0 of the URLScan ISAPI filter and is not required in the latest version.
Modification Type:MinorLast Reviewed:6/22/2005
Keywords:kbbug kbdocerr kbpending KB311116
©2004 Microsoft Corporation. All rights reserved.