IIS lockdown and URLscan configurations in an Exchange environment

Note This article refers to issues with Exchange 2000 and Exchange Server 5.5 when you apply the IIS lockdown tool version 1.0. Microsoft recommends that you download the latest version of the IIS lockdown tool: For additional information, click the article number below to view the article in the Microsoft Knowledge Base: The Internet Information Services (IIS) security tools, IISlockD and URLscan, must be configured appropriately for Exchange. This article describes the configuration that is required for these tools in Exchange 2000 Server and Exchange Server 5.5 environments. Typical symptoms of incorrect of IISlockD and URLscan configuration include:

• Microsoft Outlook Web Access (OWA). When you gain access to OWA, your mail items, Calendar items, and Contacts may be missing. In addition, if you attempt to gain access to OWA from a browser on the Exchange 2000 server, you may receive the following error message:
  A Runtime Error has occurred.
  Do you wish to Debug?
  Line: 878
  Error: The handle is in the wrong state for the requested operation
• Exchange System Manager. When you try to click to expand the public folder tree in Exchange System Manager, you may receive the following error message:
  The object is no longer available. Press F5 to refresh the display, and then try again.
  ID no: 80040e19
  Exchange System Manager
• Exchange System Manager. When you try to expand the public folder tree in Exchange System Manager, you may receive the following error message:
  The operation failed due an internal server error. c1030af2
• Exchange Instant Messaging. When you try to sign in to Exchange Instant Messaging, you may receive the following error message:
  Signing in to Microsoft Exchange Instant Messaging failed because the service is temporarily unavailable. Please try again later.

This issue can occur because the default configuration of the IISlockD and URLScan security tools assumes that the server is serving static content only. Exchange 2000 components use Web Distributed Authoring and Versioning (WebDAV) and other Hypertext Transfer Protocol (HTTP) verbs that are not allowed by the default configuration. Exchange Server 5.5 components use Active Server Pages (ASP) that are disabled by default.

Please examine these settings carefully before you apply them to your server. They are designed to allow Exchange 2000 Server and Exchange Server 5.5 to work optimally, but may have other effects which you may not expect. For example, the URLscan INI settings below will affect IIS. If you read the "DenyExtensions" section of the INI settings below, you can see that these settings prevent IIS from serving most forms of content other than static .HTM or .HTML pages.

IIS Lockdown on Exchange 2000 Servers

In Exchange 2000 environments, the lockdown tool does not accommodate Exchange installable file system (IFS) mounted drives (typically drive M). To use the lockdown tool on Exchange 2000 servers:

1. Run IISlockD.exe.
2. Click Advanced Lockdown, and then click Next.
3. The Remove Script Mappings dialog box is displayed:
   1. If the Disable support for Active Server Pages (.asp) check box is selected, the OWA Multimedia button does not function and the Log Off button does not function. The following Microsoft Knowledge Base article describes the process to disable the multimedia button for customers who do not have a unified messaging solution:
      288119 XWEB: How to Disable the Multimedia Button in OWA
      When Active Server Pages (ASP) pages are disabled, unified messaging still functions with the WAV file attachment.
   2. If the Disable support for the .HTR scripting (.htr) check box is selected, the OWA Change Password feature does not function. This OWA feature is disabled by default. The following Knowledge Base article describes the process to hide the Change Password button in OWA:
      297121 XWEB: How to Hide the Change Password Button on the Outlook Web Access Options Page
4. Click Next.
5. The Additional Lockdown Actions dialog box is displayed:
   1. Click to clear the Disable Distributed Authoring and Versioning (WebDAV) check box.
   2. Click to clear the Set file permissions to prevent the IIS anonymous users from writing to content directories check box. This excludes the IIS virtual directories that are mapped to Exchange IFS.
6. Click Next, and then click Yes to complete the lockdown process.

To manually set the file permissions for the IIS anonymous user, set an explicit Deny All Access Control Entry (ACE) for anonymous Web users for each IIS virtual directory:

1. Start the Internet Services Manager Microsoft Management Console (MMC).
2. Click to expand the Default Web Site.
3. For each virtual directory:
   1. Click to select a virtual directory, right-click the virtual directory, and then click Properties.
   2. On the Virtual Directory tab, note the local path.
   3. Start Microsoft Windows Explorer, and then locate the local path folder.
   4. Right-click the folder, and then click Properties.
   5. Click the Security tab.
   6. Click Add.
   7. Click to select the _Web Anonymous Users and _Web Applications accounts, and then click OK.
   8. Click to select the _Web Anonymous Users account, and then deny Full Control ACE.
   9. Click to select the _Web Applications account, and then deny Full Control ACE.
4. Repeat step 3 for each virtual directory, excluding the Exchange and Exadmin virtual roots.

IIS Lockdown on Exchange Server 5.5 Computers

To use the lockdown tool on Exchange Server 5.5 computers:

1. Start IISlockD.exe.
2. Click Advanced Lockdown, and then click Next.
3. The Remove Script Mappings dialog box is displayed
   1. Click to clear the Disable support for Active Server Pages (.asp) check box.
   2. If the Disable support for the .HTR scripting (.htr) check box is selected, the OWA Change Password feature does not function. Click Next.
4. The Additional Lockdown Actions dialog box is displayed.
5. Click Next, and then click Yes to complete the lockdown process.

If you already ran the IIS Lockdown tool against your Exchange Server 5.5 OWA server with all of the options selected, to restore functionality:

• OWA:
  1. Start Internet Services Manager.
  2. Click to expand the Default Web Site, right-click the Exchange virtual directory, and then click Properties.
  3. Click the Virtual Directory tab, and then click Configuration.
  4. Click the .ASP mapping, and then click Edit. The IIS Lockdown tool updates this mapping to 404.dll. Change the mapping to asp.dll. On Microsoft Windows NT 4.0-based computers, add "PUT, DELETE" to the Method Exclusions box. On Microsoft Windows 2000-based computers, make sure that the Limit to check box is selected, and that the Limit to box contains "GET, HEAD, POST, TRACE".
  5. Click OK to close the properties.
• Change Password:
  1. Re-create the Iisadmpwd virtual directory that was deleted.For additional information about how to re-create the Iisadmpwd virtual directory, click the article number below to view the article in the Microsoft Knowledge Base:
     301428 Troubleshooting Outlook Web Access from an IIS Perspective
  2. By default, the mappings for ".htr" files are also removed. Restore the mapping for ".htr" files:
     1. Start Internet Services Manager.
     2. Right-click the Default Web Site, and then click Properties.
     3. Click the Home Directory tab, and then click Configuration.
     4. Click the .htr mapping, and then click Edit. The IIS Lockdown tool updates this mapping to 404.dll. Change the mapping to ism.dll.
     5. Click OK to close the properties.

URLscan on Exchange 2000 Servers

For more information about using Exchange 2003 and URLscan , click the following article number to view the article in the Microsoft Knowledge Base: This section contains URLscan configuration files for the following components:

• OWA
• Exchange System Manager
• Instant Messaging
• Web folders

Please note that after you add the DenyUrlSequences section to the URLScan.ini file, you may not be able to open mail messages via Outlook Web Access (OWA) if the Subject line of the mail message contains these special characters. Administrators should review the URLscan log file in %windir%\system32\inetsrv\urslscan folder for assistance in resolving these issues.

If multiple services are installed on a single server, you need to merge the configuration files to ensure that all of the components continue to function.

Open the Urlscan.ini file in the following location: Modify the Urlscan.ini file based on the Exchange computer role.

If you encounter further difficulties when you attempt HTTP requests with URLScan enabled, check the Urlscan.log file for the list of requests that are being rejected. The default location of the Urlscan.log file is:

OWA

The URLscan configuration file for OWA is as follows (if Change Password functionality is required, you must remove the ".htr" file extension from the Deny Extensions section):

Exchange System Manager for Public Folder Management

The URLscan configuration file for Exchange System Manager management of Public Folders is as follows: Note You can add .com to the DENYEXTENSIONS list if internal Domain Name System (DNS) does not contain .com.

Instant Messaging

The URLscan configuration file for Instant Messaging is as follows:

Web Folders

The URLscan configuration file for Web folders is as follows:

Custom WebDAV Programs

You need to review any custom programs that were developed on the Exchange 2000 store for the list of DAV verbs that are used. Add these verbs to the AllowVerbs section of a URLscan configuration file and apply that file to the servers that host the custom program.

URLscan on Exchange Server 5.5 Computers

Please note that after you add the DenyUrlSequences section to the URLScan.ini file, you may not be able to open mail messages via Outlook Web Access (OWA) if the Subject line of the mail message contains these special characters. Administrators should review the URLscan log file in %windir%\system32\inetsrv\urslscan folder for assistance in resolving these issues.

The URLscan configuration file for OWA is as follows (if Change Password functionality is required, you must remove the ".htr" file extension from the Deny Extensions sections):