Home > Learn > Installing and Configuring IIS 7.0 > Configuring Security > Using URLScan > URLScan Overview

URLScan Overview

Published on November 04, 2009 by robmcm
Updated on November 04, 2009 by robmcm
Tags: URLScan

Introduction

URLScan v3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, URLScan helps prevent potentially harmful requests from being processed by web applications on the server. URLScan v3.1 has feature upgrades and fixes from its predecessor (v2.5) such as the ability to scan query strings, the ability to custom tailor rules that scan parts of your HTTP requests and many others. URLScan v3.1 will install as an ISAPI filter on IIS 5.1 and later, including the latest IIS 7.0 for Windows Server 2008.

For additional information about using URLScan:

Post queries about the tool on the IIS7 security forum here.
See blogs about URLScan v3.1 from Wade Hilmo.

Getting URLScan

Download the x86 version from Microsoft Download Center here.
Download the x64 version from Microsoft Download Center here.

Using URLScan

This article provides a quick look at how to use URLScan v3.1. If you have used URLScan v2.5, be sure to check out the New Features section and the Setting Up section. Please refer to the Frequently Asked Questions section if you have any questions or concerns. If you do not find the information you are looking for, please post to the IIS7 security forums on IIS.net.

URLScan v3.1 Overview

URLScan v3.1 is an upgrade to URLScan v2.5 which was originally released as part of the IIS Lockdown Tool. URLScan v3.1 maintains compatibility with its predecessor, so if you have a configuration file for the older version, you can use your existing configuration file with URLScan v3.1 and the behavior will be identical. Like its predecessor, URLScan v3.1 is an ISAPI filter that reads configuration from a Urlscan.ini file and restricts certain types of requests (enumerated in Urlscan.ini) from being executed by IIS. An IIS web server administrator can add, modify and extend URLScan configuration to further restrict the types of HTTP requests that will be served by IIS. By filtering unusual requests, URLScan will help prevent such requests from reaching application code, where they may potentially cause damage to the application or server. URLScan v3.1 will install for IIS 5.1 and later, including IIS 7.0 for Windows Server 2008.

URLScan v3.1 Features

URLScan v3.1 maintains feature and functionality parity with its predecessor (URLScan v2.5). The configuration format is the same, but includes a few additional sections that can be used for the new features. If you are currently using URLScan v2.5, you can use the same Urlscan.ini configuration file with URLScan v3.1.

New Features

Deny rules can now be independently applied to query string, all headers, a particular header, URL or a combination of these.
A global DenyQueryString section in configuration lest you add deny rules for query strings with the option of checking the un-escaped version of the query string as well.
A global AlwaysAllowedUrls section in configuration lets you specify safe URLs that will bypass all URL based checks. This feature has been added post URLScan v3.0 Beta.
A global AlwaysAllowedQueryStrings section in configuration lets you specify safe query strings that will bypass all query string checks. This feature has been added post URLScan v3.0 Beta.
Using escape sequences (like %0A%0D) can now be used in deny rules so it is possible to deny CRLF and other sequences involving non-printable characters.
Multiple URLScan instances can now be installed as site filters, each with its own configuration and rules (Urlscan.ini).
Configuration (Urlscan.ini) change notifications will be propagated to IIS worker processes so you won’t have to recycle your worker processes after making a configuration change. Logging settings are the only exception to this.
Enhanced W3C formatted logging that will give descriptive configuration errors in the Remarks header. This feature has been added post URLScan v3.0 Beta, which did not have W3C formatted logs.

Features Ported from URLScan v2.5

Please check the Microsoft TechNet article here to get details about features for URLScan v2.5. Here is a quick summary of the features in URLScan v2.5.

Block requests from being executed by IIS based on HTTP Verbs, HTML Encoding, URI Extension, URL sequences and size of request.
Ability to change log file directory.
Ability to log long URLs (>1024 bytes) up to 128 Kb.