How to: use Urlscan
Update Date: April 12, 2004
This page
Target Application Scope How to Use this Module Summary Install URLScan Log File Remove URLSCAN Configuration URLSCAN Using Urlscan Restriction Request Size In the case of installation of Urlscan, debug VS .NET mask content head information (title) Trap reference
aims
Using this module can be implemented:
• Get and install Urlscan. • Use Urlscan to enhance your web server to resist common attacks (such as denial of service and directory traversal). • Enable Visual Studio .NET debugging when using Urlscan
Back to top
Scope of application
This module is suitable for the following products and technologies:
• Microsoft® Windows® 2000 Server • Internet Information Services
Back to top
How to use this module
In order to fully understand the contents of this module, you need:
• Be sure to have experience in managing Internet information services. • Be sure to have experience in programming using Visual Studio .NET. • Please read the module: Use IISLOCKDOWN. This module describes how to install IISLOCKDOWN, which is also a method for installing Urlscan.
Back to top
Summary
Urlscan is an ISAPI filter that enables web site administrators to limit the type of HTTP request to be processed. By blocking specific HTTP requests, the URLSCAN filter can prevent possible harmful requests to reach the server and cause damage. This module describes how to get, install, and configure URLScan.
Back to top
Install Urlscan
When writing this document, you can install URLSCAN 2.0 when running iislockdown (IISLOCKD.exe), or you can install it independently.
• Install URLSCAN 2.0 with IISLOCKDOWN: URLSCAN 2.0 can be installed when running IIS Lockdown Wizard (IISLOCKD.exe). IISLOCKD.EXE can be downloaded as an Internet to obtain a Microsoft Web site located in the following location: http://download/iis50/UTILITY/2.1/nt45xp/en-us/iislockd.exe (English). • Install URLSCAN 2.0 without running IISLOCKDOWN: To install Urlscan without running IISLockDown, you need to manually extract it from the Iis LockDown tool. First, you need to save IISLOCKD.EXE to a directory. Then, to extract the URLSCAN installation file, run the following command from the command line installed at the Directory of IISLOCKD.EXE: IISLOCKD.EXE / Q / C
This will unpack Urlscan.exe, which is the URLSCAN installer. For more information, please refer to Microsoft Knowledge Base Article 315522 "How to: Extract The Urlscan Tool and Lockdown Template Files from The IIS Lockdown Tool", this article is in: http://support.microsoft.com/default.aspx? Scid = 315522 (English). • Install URLSCAN 2.5: Urlscan 2.5 is currently the latest version of Urlscan. If you want to install Urlscan 2.5, you need to install URLSCAN 1.0 or Urlscan 2.0. For more information, see Microsoft Knowledge Base Article 307608 "Info: Urlscan On IIS", this article is located in: http://support.microsoft.com/default.aspx? Scid = 307608 (English). • Default installation directory: URLSCAN files include urlscan.dll and urlscan.ini, urlscan logs are stored in% Windir% / System32 / InetSRV / URLSCAN. Urlscan.dll is a filter. You can use Urlscan.ini to configure its work mode. Back to top
Log file
Urlscan creates a log file to record the rejected request. The log file is located in the following folder:
% WINDIR% / System32 / InetSrv / Urlscan
The naming specification for the log file is as follows: Urlscan
Back to top
Delete urlscan
You can use the ISAPI filter page in the "Web Server Properties" dialog box in the Internet Service Provider. Urlscan.
Back to top
Configuring Urlscan
To configure URLSCAN to determine which requests are rejected, you can use urlscan.ini. This file is located in the following folder:
% WINDIR% / System32 / InetSrv / Urlscan
For more information on how to modify each paragraph in Urlscan.ini, please refer to Microsoft Knowledge Base Article 815155 "How to: Configure Urlscan to Protect ASP.NET Web Applications", this article is in: http://support.microsoft.com /Default.aspx?scid=815155 (English).
Back to top
Request size using URLSCAN restrictions
Urlscan can be used as another line of defense, and even before requesting ASP.NET, it can be used to resist the denial of the service attack. This can be achieved by setting restrictions on MaxAllowedContentLength, MAXURL, and MaxQueryString property.
To limit the size of the request, add the following configuration to urlscan.ini:
[RequestLimits]
The entry in this paragraph is to the server
The length of the allowed request portion is limited.
MAXALLOWEDCONTENTLENGTH = 2000000000
MaxURL = 16384
MAXQUERYSTRING = 4096
Back to top
Debug VS .NET with Urlscan installed
By default, Urlscan does not allow debug predicates. Therefore, when using the VS.NET debug web application on the server installed in the URLSCAN, the following error may be seen: Microsoft Development Environment:
An error occurred while trying to run the project: Unable to start debugging on the web server.
Unable to start ASP.NET or ATL server debugging.
Verify that the ASP.NET or ATL server is now installed correctly on the server. Do you want to disable the function of trying to debug an ASP.NET page for this project? Yes No
help
The URLSCAN log file will also contain items similar to:
[01-18-2003 - 22:25:26] Client at 127.0.0.1:tent Verb 'Debug', Which Is Not
SpeciFical allowed.request will be rejected.
To support debugging, add Debug to the Allowverbs paragraph in Urlscan.ini, as shown below:
[Allowverbs]
Get
HEAD
POST
Debug
Note that you need to restart IIS, and change will take effect.
Back to top
Shield content header information (title)
To prevent the type and version of the type and version of your web server, find the RemoveServerHeader in Urlscan.ini, and set its value to 1, as shown below.
RemoveServerHeader = 1
For more information, see Microsoft Knowledge Base Articles 317741 "How to: Mask Iis Version Information from Network Trace and Telnet", this article is at http://support.microsoft.com/default.aspx?scid=317741 ).
Back to top
trap
If you use Urlscan, you may encounter the following questions:
• URLSCAN blocks the debug predicate, which will cause application debugging unable. If you need to support debugging, add the debug predicate to the [AllowVerbs] paragraph in Urlscan.ini. • You need to restart IIS to make changes to the change. Urlscan is an ISAPI filter that runs in IIS process, which is loaded from Urlscan.ini when IIS starts. You can run the Iisreset command from the command prompt to restart IIS. • If the request contains possible harmful characters, URLSCAN will block such characters, for example, characters used to use vulnerabilities to implement attacks, such as "traversal". ". It is recommended not to include "." Characters in the project path. If you must use this character, you need to set updotinpath = 1 in Urlscan.ini. If your web application directory includes points, for example, the directory contains "ASP.NET", the URLSCAN will reject the request and return a "404 Not Found" message to the client. Other Because of the use of Urlscan, you should avoid using characters used in the project name include comma (,) and pound characters (#).
Back to top
reference
For additional information, please refer to the following resources:
• For more information on how to modify each paragraph in urlscan.ini, please refer to Microsoft Knowledge Base Article 815155 "How to: Configure Urlscan to Protect ASP.NET Web Applications", which is located in: http://support.microsoft. COM / DEFAULT.ASPX? scid = 815155 (English). • For more information on using Urlscan, see http://www.nardware.co.uk/security/docs/nmsurlscan.html (English) • For more information on Urlscan 2.5, please refer to Microsoft Knowledge Base Article 307608 " Info: Urlscan on IIS, this article is located in: http://support.microsoft.com/default.aspx? Scid = 307608 (English). Back to top