Using UrlScan

Introduction

UrlScan v3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server. UrlScan v3.1 has feature upgrades and fixes from its predecessor (v2.5) such as the ability to scan query strings, the ability to custom tailor rules that scan parts of your HTTP requests and many others. UrlScan v3.1 will install as an ISAPI filter on IIS 5.1 and later, including the latest IIS 7.0 for Windows Server 2008.

Getting UrlScan

Download the x86 version from Microsoft Download Center here.
Download the x64 version from Microsoft Download Center here.
Post queries about the tool on the IIS7 security forum here.
Check out blogs on UrlScan v3.1 from Wade

Using UrlScan

This article provides a quick look at how to use UrlScan v3.1. If you have used UrlScan v2.5, be sure to check out the New Features section and the Setting Up section. Please refer to the Frequently Asked Questions section if you have any questions or concerns. If you do not find the information you are looking for, please post to the IIS7 security forums on IIS.net.

UrlScan v3.1 Overview

UrlScan v3.1 is an upgrade to UrlScan v2.5 which was originally released as part of the IIS Lockdown Tool. UrlScan v3.1 maintains compatibility with its predecessor, so if you have a configuration file for the older version, you can use your existing configuration file with UrlScan v3.1 and the behavior will be identical. Like its predecessor, UrlScan v3.1 is an ISAPI filter that reads configuration from a urlscan.ini file and restricts certain types of requests (enumerated in urlscan.ini) from being executed by IIS. An IIS web server administrator can add, modify and extend UrlScan configuration to further restrict the types of HTTP requests that will be served by IIS. By filtering unusual requests, UrlScan will help prevent such requests from reaching application code, where they may potentially cause damage to the application or server. UrlScan v3.1 will install for IIS 5.1 and later, including IIS 7.0 for Windows Server 2008.

UrlScan v3.1 Features

UrlScan v3.1 maintains feature and functionality parity with its predecessor (UrlScan v2.5). The configuration format is the same, but includes a few additional sections that can be used for the new features. If you are currently using UrlScan v2.5, you can use the same urlscan.ini configuration file with UrlScan v3.1.

New Features

• Deny rules can now be independently applied to query string, all headers, a particular header, URL or a combination of these.
• A global DenyQueryString section in configuration lest you add deny rules for query strings with the option of checking the un-escaped version of the query string as well.
• A global AlwaysAllowedUrls section in configuration lets you specify safe URLs that will bypass all URL based checks. This feature has been added post UrlScan v3.0 Beta.
• A global AlwaysAllowedQueryStrings section in configuration lets you specify safe query strings that will bypass all query string checks. This feature has been added post UrlScan v3.0 Beta.
• Using escape sequences (like %0A%0D) can now be used in deny rules so it is possible to deny CRLF and other sequences involving non-printable characters.
• Multiple UrlScan instances can now be installed as site filters, each with its own configuration and rules (urlscan.ini).
• Configuration (urlscan.ini) change notifications will be propagated to IIS worker processes so you won’t have to recycle your worker processes after making a configuration change. Logging settings are the only exception to this.
• Enhanced W3C formatted logging that will give descriptive configuration errors in the Remarks header. This feature has been added post UrlScan v3.0 Beta, which did not have W3C formatted logs.

Features Ported from UrlScan v2.5

Please check the Microsoft TechNet article here to get details about features for UrlScan v2.5. Here is a quick summary of the features in UrlScan v2.5.

• Block requests from being executed by IIS based on HTTP Verbs, HTML Encoding, URI Extension, URL sequences and size of request.
• Ability to change log file directory.
• Ability to log long URLs (>1024 bytes) up to 128 Kb.

In This Section

UrlScan Setup Prerequisites Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008. IIS version 5.1, 6.0 or 7.0 (depending on the platform). Installation Steps Run UrlScan v3.1MSI installer for either x86 or x64 version depending on your platform. On successful ...	Created Nov 01 2008 by iisteam
Common UrlScan Scenarios This article provides a list ofcommonusage scenarios for UrlScan v3.1, and how to enable the scenariosusing the urlscan.ini configuration. Creating Rules to Disallow String Patterns in Parts of Requests A new feature added for UrlScan v3.1 is the ability to ...	Created Nov 01 2008 by iisteam
Data Mining UrlScan 3.0 Logs using LogParser 2.2 Microsoft has released version 3.0 of UrlScan, and one of the great new features in this version is log files that conform to the W3C Extended Log File Format. What this means to administrators is that they can now parse their UrlScan activity using almost ...	Created Oct 22 2008 by robmcm
UrlScan FAQ The following section provides answers to frequently asked questions about UrlScan. Q: Where are my UrlScan log files?A: By default the log files are in %windir%\system32\inetsrv\urlscan\logs for both x86 and x64 installations. Your urlscan.ini file contains ...	Created Nov 01 2008 by iisteam

Related Content

Comments