New MS tool "URLSCAN" filters bad URL requests from your IIS (OWA ) server

[Alverson, Thomas M.]

Microsoft just released a new IIS utility called URLSCAN which can block
suspicious URL's from your IIS server.  You can get it from:

 http://www.microsoft.com/downloads/release.asp?ReleaseID=32571

I just installed it on my OWA server (NT4 sp6a, EX5.5 sp4) and it seems to
work fine.  It is configured by an INI file which tells it what types of URL
requests to block.  Here is the log of it starting up and blocking one
request:


[Thu, Sep 13 2001 - 13:15:10] ---------- UrlScan.dll Initializing ----------
[Thu, Sep 13 2001 - 13:15:10] URLs will be normalized before analysis.
[Thu, Sep 13 2001 - 13:15:10] URL normalization will be verified.
[Thu, Sep 13 2001 - 13:15:10] URLs may contain OEM, international and UTF-8
characters.
[Thu, Sep 13 2001 - 13:15:10] URLs must not contain any dot except for the
file extension.
[Thu, Sep 13 2001 - 13:15:10] Only the following verbs will be allowed (case
sensitive):
[Thu, Sep 13 2001 - 13:15:10]   'GET'
[Thu, Sep 13 2001 - 13:15:10]   'HEAD'
[Thu, Sep 13 2001 - 13:15:10]   'POST'
[Thu, Sep 13 2001 - 13:15:10] Requests for following extensions will be
rejected:
[Thu, Sep 13 2001 - 13:15:10]   '.exe'
[Thu, Sep 13 2001 - 13:15:10]   '.bat'
[Thu, Sep 13 2001 - 13:15:10]   '.cmd'
[Thu, Sep 13 2001 - 13:15:10]   '.com'
[Thu, Sep 13 2001 - 13:15:10]   '.htw'
[Thu, Sep 13 2001 - 13:15:10]   '.ida'
[Thu, Sep 13 2001 - 13:15:10]   '.idq'
[Thu, Sep 13 2001 - 13:15:10]   '.htr'
[Thu, Sep 13 2001 - 13:15:10]   '.idc'
[Thu, Sep 13 2001 - 13:15:10]   '.shtm'
[Thu, Sep 13 2001 - 13:15:10]   '.shtml'
[Thu, Sep 13 2001 - 13:15:10]   '.stm'
[Thu, Sep 13 2001 - 13:15:10]   '.printer'
[Thu, Sep 13 2001 - 13:15:10]   '.ini'
[Thu, Sep 13 2001 - 13:15:10]   '.log'
[Thu, Sep 13 2001 - 13:15:10]   '.pol'
[Thu, Sep 13 2001 - 13:15:10]   '.dat'
[Thu, Sep 13 2001 - 13:15:10] Requests containing the following headers will
be rejected:
[Thu, Sep 13 2001 - 13:15:10]   'translate:'
[Thu, Sep 13 2001 - 13:15:10]   'if:'
[Thu, Sep 13 2001 - 13:15:10]   'lock-token:'
[Thu, Sep 13 2001 - 13:15:10] Requests containing the following character
sequences will be rejected:
[Thu, Sep 13 2001 - 13:15:10]   '..'
[Thu, Sep 13 2001 - 13:15:10]   './'
[Thu, Sep 13 2001 - 13:15:10]   '\'
[Thu, Sep 13 2001 - 13:15:10]   ':'
[Thu, Sep 13 2001 - 13:15:10]   '%'
[Thu, Sep 13 2001 - 13:15:10]   '&'
[Thu, Sep 13 2001 - 13:37:00] Client at 192.168.1.1: Sent verb 'OPTIONS',
which is not specifically allowed. Request will be rejected.

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]