Windows - IIS Lockdown links

Want to properly lockdown IIS? Want to know more about the URLScan?

Article ID : 326444
Last Review : June 23, 2005
Revision : 5.1

http://www.securityfocus.com/infocus/1755

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;326444

A customer asked why files from their web pages with “&” couldn’t be downloaded. By default the “Deny URL” section locks down alot of things. It’s a good thing!! But sometimes you got to make a small exception for users… so… read below…

The [DenyUrlSequences] section
You can configure URLScan to block requests that contain certain sequences of characters in the URL. For example, you can block requests that contain two consecutive periods (..), which are frequently used with exploits that take advantage of directory traversal vulnerabilities. To specify a character sequence to block, put the sequence on a line by itself in the [DenyUrlSequences] section.

Note that adding character sequences may adversely affect Outlook Web Access (OWA) for Microsoft Exchange. When you open a message from OWA, the subject line of the message is contained in the URL that is requested from the server. Because the URLScan.ini file blocks any requests that contain the percent sign (%) and the ampersand sign (&), users receive a 404 error message when they try to open a message with a subject line such as “Sales increase by 100%” or “Bob & Sue are coming to town”. To resolve this, you can remove these sequences

But, don’t “remove” the sequence. Just REM it out by using a ; in front of the character sequence you want usable.