UrlScan
UrlScan is an�IIS feature which uses an ISAPI filter to process http requests sent to�the OWA website. Every request first passes through this filter before the request is processed by Exchange Server.�There are predictable patterns within the query string portion and the body of every request transmitted to the Options panel. The predictable patterns can be used to selectively deny the requests.��
Note�UrlScan will deny every request for accessing or to update Options items or the rules in OWA. These include�requests from legitimate users within the organization. �
To download UrlScan 32bit, visit the following Microsoft website:
To download UrlScan 64bit, visit the following Microsoft website:
For more information about UrlScan, visit the following Microsoft website:
How to disable the Options panel in Exchange Server 2007
Installation
You have to set up UrlScan�as a filter for the OWA website. For more information about how to set up UrlScan, visit the following website:�
After you install UrlScan, the ISAPI filter on your computer resembles the following:
The�UrlScan.ini File Setting
Set the UrlScan.ini file with the settings shown underneath. All the strings specified in �DenyOWAOptions� are searched in the URL and query string. If they occur, the request is denied by IIS.
[Options]
UseAllowVerbs=0
AllowDotInPath=1�
RuleList=BlockOptionsInOWA
[BlockOptionsInOWA]
ScanURL=1
ScanQueryString=1
DenyDataSection=DenyOWAOptions
[DenyOWAOptions]
ae=Options
ns=Options
ns=RulesOptions
ns=JunkEmail
ns=DumpsterListView
End-user Experience
After you install UrlScan and configure the settings, users can log on to OWA as the following picture shows:�
However, when a user clicks on the
Options�button on the upper-right corner, the user receives the following 403 error message:
Administrative Tasks
The UrlScan install directory also has a log file that contains the details of which requests were blocked and the reason for blocking. For example, you may see some information resembles the following information in the log file:
2010-07-16 23:50:23 157.56.147.48 1 GET /owa/?ae=Options&opturl=Messaging Rejected rule+'BlockOptionsInOWA'+triggered query+string - ae=options
The administrator can use standard IIS log parsing tools, such as LogParser, to obtain more information and statistics about the logs. For more information about how to query these logs, visit the following website:
How to disable the Options panel in Exchange Server 2003
UrlScan cannot be used in Exchange Server 2003 to disable the Options panel or the Rules panel.�