Well, it would have stopped the last three major hacks on IIS, which
resides on OWA servers. Look back in the archives for the sheer number
of OWA servers that people were concerned about.
Basically, it allows the admin to filter what type of requests are
accepted from the client. Sort of like an IDS only on a much simpler
scale.
> -----Original Message-----
> From: Bare, Ronald A. [mailto:[EMAIL PROTECTED]]
> Posted At: Friday, September 14, 2001 10:43 AM
> Posted To: MSExchange Mailing List
> Conversation: New MS tool "URLSCAN" filters bad URL requests from your
> IIS (OWA ) server
> Subject: RE: New MS tool "URLSCAN" filters bad URL requests from your
> IIS (OWA ) server
>
>
> I don't understand? What exactly is this utility suppose to
> do and how does
> it relate to Exchange? Thanks.
>
> -----Original Message-----
> From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 13, 2001 12:42 PM
> To: Exchange Discussions
> Subject: New MS tool "URLSCAN" filters bad URL requests from your IIS
> (OWA ) server
> Importance: High
>
>
> Microsoft just released a new IIS utility called URLSCAN
> which can block
> suspicious URL's from your IIS server. You can get it from:
>
> http://www.microsoft.com/downloads/release.asp?ReleaseID=32571
>
> I just installed it on my OWA server (NT4 sp6a, EX5.5 sp4)
> and it seems to
> work fine. It is configured by an INI file which tells it
> what types of URL
> requests to block. Here is the log of it starting up and blocking one
> request:
>
>
> [Thu, Sep 13 2001 - 13:15:10] ---------- UrlScan.dll
> Initializing ----------
> [Thu, Sep 13 2001 - 13:15:10] URLs will be normalized before analysis.
> [Thu, Sep 13 2001 - 13:15:10] URL normalization will be verified.
> [Thu, Sep 13 2001 - 13:15:10] URLs may contain OEM,
> international and UTF-8
> characters.
> [Thu, Sep 13 2001 - 13:15:10] URLs must not contain any dot
> except for the
> file extension.
> [Thu, Sep 13 2001 - 13:15:10] Only the following verbs will
> be allowed (case
> sensitive):
> [Thu, Sep 13 2001 - 13:15:10] 'GET'
> [Thu, Sep 13 2001 - 13:15:10] 'HEAD'
> [Thu, Sep 13 2001 - 13:15:10] 'POST'
> [Thu, Sep 13 2001 - 13:15:10] Requests for following
> extensions will be
> rejected:
> [Thu, Sep 13 2001 - 13:15:10] '.exe'
> [Thu, Sep 13 2001 - 13:15:10] '.bat'
> [Thu, Sep 13 2001 - 13:15:10] '.cmd'
> [Thu, Sep 13 2001 - 13:15:10] '.com'
> [Thu, Sep 13 2001 - 13:15:10] '.htw'
> [Thu, Sep 13 2001 - 13:15:10] '.ida'
> [Thu, Sep 13 2001 - 13:15:10] '.idq'
> [Thu, Sep 13 2001 - 13:15:10] '.htr'
> [Thu, Sep 13 2001 - 13:15:10] '.idc'
> [Thu, Sep 13 2001 - 13:15:10] '.shtm'
> [Thu, Sep 13 2001 - 13:15:10] '.shtml'
> [Thu, Sep 13 2001 - 13:15:10] '.stm'
> [Thu, Sep 13 2001 - 13:15:10] '.printer'
> [Thu, Sep 13 2001 - 13:15:10] '.ini'
> [Thu, Sep 13 2001 - 13:15:10] '.log'
> [Thu, Sep 13 2001 - 13:15:10] '.pol'
> [Thu, Sep 13 2001 - 13:15:10] '.dat'
> [Thu, Sep 13 2001 - 13:15:10] Requests containing the
> following headers will
> be rejected:
> [Thu, Sep 13 2001 - 13:15:10] 'translate:'
> [Thu, Sep 13 2001 - 13:15:10] 'if:'
> [Thu, Sep 13 2001 - 13:15:10] 'lock-token:'
> [Thu, Sep 13 2001 - 13:15:10] Requests containing the
> following character
> sequences will be rejected:
> [Thu, Sep 13 2001 - 13:15:10] '..'
> [Thu, Sep 13 2001 - 13:15:10] './'
> [Thu, Sep 13 2001 - 13:15:10] '\'
> [Thu, Sep 13 2001 - 13:15:10] ':'
> [Thu, Sep 13 2001 - 13:15:10] '%'
> [Thu, Sep 13 2001 - 13:15:10] '&'
> [Thu, Sep 13 2001 - 13:37:00] Client at 192.168.1.1: Sent
> verb 'OPTIONS',
> which is not specifically allowed. Request will be rejected.
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
