Search results matching tag 'UrlScan'

Removeserverheader=1 causes http 400 bad request error

mhnash — Thu, 10 Sep 2009 21:08:18 GMT

We need to hide the server header in HTTP respones. When I set the urlscan parameter, Removeserverheader to 1, the server header is not present in an HTTP response test.

However, when the url for the login page to our site is accesed, a Page Cannot be Found error page displays with HTTP 400 bad request.

I set the value back to the default of 0, restart IIS and the login page works again.

The same thing happens when we try to use the Alternateservername option as well.

URLScan on Server Core

ShamusA — Thu, 18 Jun 2009 13:58:39 GMT

Hello, Any way to deploy URLscan manually on a Windows 2008 core server build, installs ok on a Windows 2008 standard server, both being 32-bit builds. The URLscan.msi file gives access denied on the core server version. TIA, Shamus

URLScan : How to build a fiter on user-agent ?

ggcgcg — Wed, 17 Jun 2009 14:12:33 GMT

Hi,

I try to build a filter on user-agent with URLScan for IIS6.

The goal is to authorize a part of my website only for a unique specific user-agent.

For the url http://127.0.0.1 there is no filter.

But for the url http://172.0.0.1/MyFolder, I need to build a filter on XML files to protect them.

The filter must authorized a unique specific user-agent which contains the srtring "MyUserAgent".

With the example below I can block some of user-agent but not authorize only one. In more, this filter is applied on all the website and not only on the url http://172.0.0.1/MyFolder

[options]

RuleList=TestGG

[testGG]
AppliesTo=.xml
DenyDataSection=DenyGG
ScanHeaders=User-Agent

[DenyGG]
MSIE
Firefox

How to do ?

Help, please.

Regards,

UrlScan 3.1 - wildcards in AlwaysAllowedUrls

Klev — Tue, 12 May 2009 09:36:27 GMT

Hi, Is there a possibility to add wildcards to AlwaysAllowedUrls? For example, i have a folder with dots in it's name: '/some.folder/' and a lot of files in it. All files in this folder are blocked by UrlScan...

URLScan 3.1 help

EvilTweety — Tue, 10 Mar 2009 17:37:00 GMT

Hi everyone,

I've been tasked to test URLScan 3.1 on an IIS 6.0. I have installed and configured according to setup instructions and added the SQL Injection rule. It works but only, it seems, at root level.

For example, when testing a simple login page at the top level i.e. www.somesite.com/login.asp , URLScan catches SQL Injection and logs accordingly. However, for a subdirectory i.e. www.somesite.com/level1/feedback/feedback.asp, tested SQL Injection gets thru and it is not logged.

I have tried URLScan as a global and site level ISAPI Filter, both ways produce the above results. Any ideas?

urlscan and logging to a unc path

Vissuluth — Mon, 10 Nov 2008 03:21:59 GMT

I have IIS on my web servers log to a central server. To do this I followed the following links:

Configuring IIS to Log Data on a Remote Share: http://technet.microsoft.com/en-us/library/cc757377.aspx

Setting Up a Null Session for Cross-Domain Logging: http://technet.microsoft.com/en-us/library/cc728059.aspx

I have added the directory iislogs$ to the NullSessionShares registory key and IIS has been loggin there for a number of months now.

In my urlscan.ini I have LoggingDirectory=\\RemoteServer\iislogs$\WebServer\urlscan but itdoesnt log and I cant find any error logs to point me to what Im missing. Does anyone have any advice on how to log to a unc share?

Using windows 2k3 sp2 for both web server and log server. URLScan version 3.0

Re: Use URLRewrite to help protect again certain sql injection attacks.

ruslany — Mon, 13 Oct 2008 20:44:10 GMT

If URLScan is installed on IIS7 it will run before the request filter and url rewriter. By default the relative order of execution of these three is:

URLScan
Request Filter
URL Rewrite

URLSCAN logging only option?

RickyE — Mon, 13 Oct 2008 13:33:07 GMT

Does anyone know if there is a way to have URLSCAN only log what it would block? We'd like to use on a production server, but we don't want to actually block requests until we've tuned the ruleset.

We do have a development server, but I can't guarantee testing there would cover 100% of all the usage scenarios. We're on IIS6.

Thanks, Rick

Re: URLScan 3.0 not logging

RedCrystal — Tue, 30 Sep 2008 18:57:03 GMT

Did you check the security permissions at the E:\logfiles folder (if you have not created the UrlScan folder under it) or the E:\logfiles\UrlScan folder itself (if you did create it)?

According to the UrlScan setup page:

Make sure that IIS worker processes have write permissions to this folder. For IIS 6.0 make sure you give IIS_WPG write permissions to this folder and for IIS 7.0 make sure you give IIS_IUSRS write permission to this folder.

from http://learn.iis.net/page.aspx/475/urlscan-setup/

UrlScan not blocking URL segments

RedCrystal — Tue, 30 Sep 2008 18:45:06 GMT

I'm using UrlScan 3.0 on IIS 6.0 (IIS 7.0 is not an option).

I need to block all requests for URLs which contain "NR" as a path segment:

http://localhost/NR/....

Here's my UrlScan.ini file (most settings are the defaults, changes are in italics, things I think are significant are in bold):

[options]
UseAllowVerbs=1
UseAllowExtensions=0
NormalizeUrlBeforeScan=1
VerifyNormalization=1
AllowHighBitCharacters=0
AllowDotInPath=0
RemoveServerHeader=0
EnableLogging=1
PerProcessLogging=0
AllowLateScanning=0
PerDayLogging=1
UseFastPathReject=0
LogLongUrls=0
UnescapeQueryString=1
RejectResponseUrl=/FilterRejectUrl
LoggingDirectory=E:\UrlScan
AlternateServerName=
RuleList=BlockCmsNrRule

[BlockCmsNrRule]
DenyDataSection=BlockCmsNrRuleSegments
ScanURL=1

[BlockCmsNrRuleSegments]
/NR/

[RequestLimits]
MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048

[AllowVerbs]
GET
HEAD
POST

[DenyVerbs]
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]
Translate:
If:
Lock-Token:
Transfer-Encoding:

[AllowExtensions]
.htm
.html
.txt
.jpg
.jpeg
.gif

[DenyExtensions]
.exe
.bat
.cmd
.com

.htw
.ida
.idq
.htr
.idc
.shtm
.shtml
.stm
.printer

.ini
.log
.pol
.dat
.config

[AlwaysAllowedUrls]

[DenyUrlSequences]
..
./
\
:
%
&

[AlwaysAllowedQueryStrings]

[DenyQueryStringSequences]
<
>

The "Common UrlScan Scenarios" page (http://learn.iis.net/page.aspx/476/common-urlscan-scenarios/) says of the rule data section (which I've named [BlockCmsNrRuleSegments]) "This list is case insensitive and allows entering encoded values of the format %XX, where XX are hexadecimal digits."

This is not quite what I'm encountering. If I use Fiddler to request http://localhost/%6ER/... (which is a valid escaped URL for /NR/ (case sensitive)), the request is indeed blocked (shows up in the log file and everything). But if I request http://localhost/%4Er/... (a valid escaped URL for /nr/ (case-sensitive)), that goes through and I get the resource I'm trying to block.

Is there a better way to write the rule to make sure clever URL escaping is still blocked? Or just to make sure I can totally block all requests for anything with that path segment? What am I missing?

Thanks,