How To Configure URLScan to Allow Requests with a Null Extension in IIS (312376)



The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1

This article was previously published under Q312376
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

SUMMARY

This step-by-step article describes how to configure URLScan to allow null extension requests with Internet Information Services (IIS).

back to the top

Introduction

URLScan is an Internet Server Application Programming Interface (ISAPI) filter that screens and monitors HTTP requests for IIS. URLScan is used to reduce the exposure of IIS 4.0, IIS 5.0, and IIS 5.1 to potential Internet attacks.

URLScan protects a Web server from attacks by filtering and rejecting HTTP requests for selected IIS service applications. The default Urlscan.ini file is configured to accept only static HTML files, including graphic files, and to reject the following types of requests:
  • Common Gateway Interface (CGI) .exe pages
  • World Wide Web Distributed Authoring and Versioning (WebDAV)
  • FrontPage Server Extensions
  • Index Server
  • Internet printing
  • Server-side includes
If you have URLScan with version number 6.0.3574.0, you can configure URLScan to allow incoming URL requests with the null extension.

back to the top

Modify the Default URLScan Configuration File

To configure URLScan when it is installed on the IIS Web server, follow these steps:
  1. Download the IIS Lockdown tool from the following Microsoft Web site and then save it to a local directory:
  2. Unzip the IISlock.exe file and then unzip the Urlscan.exe file. The Urlscan folder is created.
  3. Paste the Urlscan folder in the %Windir%\System32\Inetsrv directory. Double-click the Urlscan folder under Inetsrv, and then open Urlscan.ini in Notepad.
  4. In the Urlscan.ini file, be sure to enable UseAllowExtensions, as follows:
    [Option]
    UseAllowExtensions=1; if 1, use [AllowExtensions] section, else
    					
  5. Urlscan allows you to specify a null extension in the [AllowExtensions] section. To do this, add a period (.) in the [AllowExtensions] section, as follows:
    [AllowExtensions]
    .
    ;
    ; Extensions listed here are commonly used on a typical IIS server.
    ;
    ; Note that these entries are effective if "UseAllowExtensions=1"
    ; is set in the [Option] section above.
    ;
    .asp
    .htm
    .html
    .txt
    .jpg
    .jpeg
    .gif
    					
  6. On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager, or open the custom Microsoft Management Console (MMC) that contains the IIS snap-in.
  7. In the IIS MMC, expand the server computer name. Right-click the computer name and then click Properties. Click WWW Service and then click Edit.
  8. On the ISAPI filters tab, click Add. Type urlscan as the file name. In the Executable text box, click Browse, and then select urlscan.dll from the %Windir%\System32\Inetsrv\Urlscan directory.
  9. At an MS-DOS command prompt, run Net stop iisadmin, and then run Net start W3SVC to restart IIS Web services. Verify that Urlscan.dll is running without problems, and then move the Urlscan.dll ISAPI filter to the top position in the filter list.
back to the top


REFERENCES

For additional information about how to install and configure the URLSCAN utility, click the article number below to view the article in the Microsoft Knowledge Base:

307608 INFO: Availability of URLScan Security Tool

back to the top





Modification Type:MajorLast Reviewed:8/2/2006
Keywords:kbhowto kbHOWTOmaster KB312376