ࡱ > 5@ G bjbj22 ( X X ? , Q ! ! ! ! ! ! ! ! tQ vQ vQ vQ vQ vQ vQ $ S R )V d Q ! ! ! ! ! Q ! ! Q ) ) ) ! ! ! tQ ) ! tQ ) 0 ) ) n TM LP ! N(T u( j \N tQ Q 0 Q |N V ( V @ LP V LP ( ! ! ) ! ! ! ! ! Q Q $
)
UrlScan
UrlScan is an ISAPI filter that screens and analyzes HTTP requests as Microsoft Internet Information Services (IIS) receives them. When properly configured, UrlScan is effective at reducing the exposure of IIS 4.0, IIS 5.0, and IIS 5.1 to potential Internet attacks.
Administrators may configure UrlScan to reject HTTP requests based on the following criteria:
The request method (verb)
The file extension of the resource requested
Suspicious URL encoding
Presence of non-ASCII characters in the URL
Presence of specified character sequences in the URL
Presence of specified headers in the request
In the event that a request is denied, UrlScan will log the action in the %windir%\system32\inetsrv\UrlScan directory, along with the reason for the denial and information about the request typically, the complete URL and IP address of the source of the request. When a denial occurs, IIS sends a "404 Object not found response to the client. This simple response reduces the possibility of inadvertently disclosing information about the server to a possible attacker. Also, to further reduce the information sent to the client, the administrator has the option of deleting or altering the server header in the response.
UrlScan protects a server from attacks by filtering and rejecting HTTP requests for selected IIS service features. The default UrlScan.ini file is configured to accept requests for only static HTML files including graphics. The default UrlScan.ini file is configured such that UrlScan will reject the following types of requests:
CGI (.exe) pages
WebDAV
FrontPage Server Extensions
Index Server
Internet printing
Server side includes
Each setting in UrlScan.ini contains comments describing the feature the setting is associated with. You will need to modify UrlScan.ini to accept HTTP requests for any of the IIS features listed above.
When using UrlScan with the Internet Information Services Lockdown Wizard, the server template that you select chooses a UrlScan filter configuration that most closely matches your server environment. For some server environments, it may enable functionality that you do not require. For other server environments, it may disable functionality that you need. After completing the Internet Information Services Lockdown Wizard, Microsoft recommends that you use this UrlScan documentation to tune the UrlScan.ini file to meet your specific needs. When using UrlScan alone, you can modify UrlScan.ini to meet your needs. For more information about modifying UrlScan.ini., see Running UrlScan.
Warning You cannot use the following files as a server template: urlscan_biztalk.ini, urlscan_commerce.ini, urlscan_dynamic.ini, urlscan_exchange5_5.ini, urlscan_exchange2000.ini, urlscan_frontpage.ini, urlscan_sbs2000.ini, urlscan_sharepoint_portal.ini, and urlscan_static.ini. These files are only data files that the Internet Information Services Lockdown Wizard uses to create server templates. A template will have the right configuration for the server type only if it was generated by the Internet Information Services Lockdown Wizard. Upon completion, the Internet Information Services Lockdown Wizard generates a server template, which you can access in %windir%\System32\Inetsrv\UrlScan\UrlScan.ini.
Important Be mindful that no tool replaces the need for timely installation of service packs and hotfixes. For each feature you set UrlScan to accept requests for, you should search for relevant security patches at the Microsoft TechNet Web site.
Installing UrlScan
UrlScan may be installed as a site filter, but it is recommended that it be installed as a global filter so that its functionality applies to the entire server. You can install UrlScan using one of the following procedures:
If you choose to enable UrlScan while using the IIS Lockdown Wizard, UrlScan will be installed for you.
You can open the execute file, IISLockd.exe, and the file will step you through the installation.
Take the following steps in IIS snap-in to install UrlScan manually as a global filter. UrlScan may be installed as a site filter, but it is recommended that it be installed as a global filter so that its functionality applies to the entire server:
Copy UrlScan.dll and UrlScan.ini into a local directory on the server.
Open the IIS snap-in.
Right-click the server name (not the site name) under Internet Information Services in the MMC, and then select Properties.
Verify that WWW Service is displayed in the Master Properties drop-down list, and click the Edit button.
Choose the ISAPI Filters tab, and then click the Add button.
In the Filter Properties window, type UrlScan, and enter the full path to UrlScan.dll in the Executable box.
Select OK to close each dialog.
Restart IIS.
Note If you use the IIS Lockdown Wizard to install UrlScan, and then later use the IIS Lockdown Wizard to undo the server configuration, UrlScan will be disabled. If you want to uninstall UrlScan, you need uninstall it using Add/Remove Programs in Control Panel.
Running UrlScan
When properly installed, UrlScan will run automatically whenever IIS is started. To confirm the operation of UrlScan, locate the log file, UrlScan.log, in the directory that contains UrlScan.dll. Unless UrlScan is configured with logging disabled, the log file will be automatically created by UrlScan and contains a report of the configured options each time the server is started.
The initialization file, UrlScan.ini, specifies the operation of UrlScan. This file must reside in the same directory as UrlScan.dll. UrlScan reads UrlScan.ini at initialization time only (for performance reasons). You must stop and restart IIS before any changes made to UrlScan.ini become effective.
The default options built into UrlScan.dll specify a configuration that will reject all requests to the server. UrlScan.ini is required for UrlScan to pass requests to be served. The default UrlScan.ini provided contains the recommended settings to defend against known attacks against IIS servers at the time of writing. UrlScan.ini contains the sections listed below.
Options Section
The Options section configures the main options of UrlScan.
UseAllowVerbs Allowed values are 0 or 1. Default is 1. If set to 1, UrlScan reads the AllowVerbs section of UrlScan.ini and rejects any request containing an HTTP verb that is not explicitly listed. The AllowVerbs section is case sensitive. If set to 0, UrlScan reads the DenyVerbs section of UrlScan.ini and rejects any request containing an HTTP verb listed. The DenyVerbs section is not case sensitive.
UseAllowExtensions Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan reads the AllowExtensions section of UrlScan.ini and rejects any request in which the file extension associated with the URL is not explicitly listed. If set to 0, UrlScan reads the DenyExtensions section of UrlScan.ini and rejects any request in which the file extension associated with the request is listed. Both the AllowExtensions and DenyExtensions sections are case insensitive.
NormalizeUrlBeforeScan Allowed values are 0 or 1. Default is 1. If set to 1, UrlScan does all of its analysis on the request URLs after IIS decodes and normalizes them. If set to 0, UrlScan does all of its analysis on the raw URLs as sent by the client. Only advanced administrators who are very knowledgeable about URL parsing should set this option to 0, as doing so will likely expose the IIS server to canonicalization attacks that bypass proper analysis of the URL extensions.
VerifyNormalization Allowed values are 0 or 1. Default is 1. If set to 1, UrlScan verifies normalization of the URL. This action will defend against canonicalization attacks, where a URL contains a double encoded string in the URL (i.e. The string "%252e" is a double encoded '.' character because "%25" decodes to a '%' character, the first pass decoding of "%252e" results in "%2e", which can be decoded a second time into '.'). If set to 0, this verification is not done.
AllowHighBitCharacters Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan allows any byte to exist in the URL. If set to 0, UrlScan rejects any request where the URL contains a character outside of the ASCII character set. This feature can defend against UNICODE or UTF-8 based attacks, but will also reject legitimate requests on IIS servers that use a non-ASCII code page.
AllowDotInPath Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan rejects any requests containing multiple instances of the dot (.) character. If set to 0, UrlScan does not perform this test. Because UrlScan operates at a level where IIS has not yet parsed the URL, it is not possible to determine in all cases whether a dot character denotes the extension or whether it is a part of the directory path or filename of the URL. For the purposes of extension analysis, UrlScan will always assume that an extension is the part of the URL beginning after the last dot in the string and ending at the first question mark or slash character after the dot or the end of the string. Setting AllowDotInPath to 0 defends against the case where an attacker uses path info to hide the true extension of the request (for example, something like "/path/TrueURL.asp/BogusPart.htm"). Setting AllowDotInPath to 0 also causes UrlScan to deny any request that contains a dot in a directory name.
RemoveServerHeader Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan removes the server header on all responses. If set to 0, UrlScan does not perform this action. Note that this feature is only available if UrlScan is installed on IIS 4.0 or later.
EnableLogging Allowed values are 0 or 1. Default is 1. If set to 1, UrlScan logs its actions into a file called UrlScan.log, which will be created in the same directory that contains UrlScan.dll. If set to 0, no logging will be done.
PerProcessLogging Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan appends the process ID of the IIS process hosting UrlScan.dll to the log file name (for example, UrlScan.1234.log). This feature is helpful for IIS versions that can host filters in more than 1 process concurrently. If set to 0, the log file will be UrlScan.log.
AlternateServerName Allowed value is a string. Default is an empty string. If this setting is present (the string is not empty) and if RemoveServerHeader is set to 0, IIS replaces its default "Server:" header in all responses with this string. If RemoveServerHeader is set to 1, AlternateServerName has no meaning. This feature is only available if UrlScan is installed on IIS 4.0 or later.
AllowLateScanning Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan registers itself as a low priority filter. This allows other filters to modify the URL before UrlScan does its analysis (note that in addition to this switch, it is necessary to ensure that UrlScan is listed lower on the filter list in the MMC "ISAPI Filters" property sheet for the server). If this value is set to 0, UrlScan runs as a high priority filter. Note that Front Page Server Extensions requires that this setting be 1 and that UrlScan is low on the filter load order list, preferably last.
PerDayLogging Allowed values are 0 or 1. Default is 1. If set to 1, UrlScan creates a new log file each day and appends a date to the log file name (for example, UrlScan.101501.log). If both PerDayLogging=1 and PerProcessLogging=1 are set, the log file name contains the date and a process ID in the name (for example, UrlScan.101501.123.log). Note that with PerDayLogging, a log is be created for the current day (and the log for the previous day is closed) when the first log entry is written for that day. If a day passes with no UrlScan activity, no log is created for that day. If this value is set to 0, then UrlScan opens a single file called UrlScan.log (or UrlScan.xxx.log, where xxx is the process ID, in the case of PerProcessLogging=1).
RejectResponseUrl Allowed value is a string. The default is /. This string is a URL in the form "/path/file_name.ext". In the event UrlScan rejects a request, it will run the specified URL, which needs to be local to the Web site for the request being analyzed by UrlScan. The specified URL can have the same extension (for example, .asp) as the rejected URL.
UrlScan creates the following server variables that can be used by the specified URL in determining the nature of the rejected request and to allow flexibility in returning the actual response to the client:
HTTP_URLSCAN_STATUS_HEADER Contains the reason the request is being rejected.
HTTP_URLSCAN_ORIGINAL_VERB Contains the original verb from the request that is being rejected.
HTTP_URLSCAN_ORIGINAL_URL Contains the original URL from the request that is being rejected.
UrlScan appends the URL of the request that is being rejected as a query string to the location specified by RejectReponseUrl. If IIS is configured to log request query strings, the URL of the rejected request can be found in the IIS log in addition to the UrlScan log.
There is a special value for RejectResponseUrl that can be used to put UrlScan into "Logging Only Mode." If you set the value of RejectResponseUrl to /~*, UrlScan performs all of the configured scanning and logs the results, however, it will allow IIS to serve the page even if it would normally be rejected. This mode is useful if you would like to test UrlScan.ini settings without actually rejecting any requests. Note that the log entries in the UrlScan log file will be clear that requests are not being rejected.
UseFastPathReject Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan ignores the RejectResponseUrl and return a short 404 response to the client in cases where it rejects a request. This is faster than allowing the full processing of the RejectResponseUrl, but if this option is used, IIS cannot return a custom 404 response or log many parts of the request into the IIS log (the UrlScan log file will still contain complete information about rejected requests).
AllowVerbs Section
The AllowVerbs section contains a list of HTTP verbs (methods). If UseAllowVerbs is set to 1 in the Options section, UrlScan rejects any request containing a verb not explicitly listed here. The entries in this section are case sensitive.
DenyVerbs Section
The DenyVerbs section contains a list of HTTP verbs (methods). If UseAllowVerbs is set to 0 in the Options section, UrlScan rejects any request containing a verb that is listed here. The entries in this section are case insensitive.
DenyHeaders Section
The DenyHeaders section contains a list of request headers. Any request containing a request header listed in this section will be rejected. The entries in this section are case insensitive.
AllowExtensions Section
The AllowExtensions section contains a list of file extensions. If UseAllowExtensions is set to 1 in the Options section, any request containing a URL with an extension not explicitly listed here is rejected. The entries in this section are case insensitive. Note that you can specify extension-less requests (for example, requests for a default page or a directory listing) by adding an empty extension using a dot and no trailing characters.
DenyExtensions Section
The DenyExtensions section contains a list of file extensions. If UseAllowExtensions is set to 0 in the Options section, any request containing a URL with an extension listed here is rejected. The entries in this section are case insensitive. You can specify extension-less requests (i.e. requests for a default page or a directory listing) by adding an empty extension using a dot and no trailing characters.
Files Created by UrlScan
UrlScan may create the following files in the directory that contains UrlScan.dll:
UrlScan.log Logs UrlScan activity, including initialization and shutdown, and details for any request that is rejected by UrlScan.
UrlScan.ini Contains the configuration options used by UrlScan.
& * + ? N Q [ ~
' * = G L Z [ e
n ҰҎ}ҰlҎ hKT h CJ OJ QJ ^J aJ hKT hxM CJ OJ QJ ^J aJ hKT h' CJ OJ QJ ^J aJ hKT h? CJ OJ QJ ^J aJ hKT hZH CJ OJ QJ ^J aJ hKT h^2 CJ OJ QJ ^J aJ hKT h CJ OJ QJ ^J aJ hKT hO j hKT UhKT hO OJ QJ ^J %
v w
7
d
e
" # 4 ; W d v X Y
&