Known issues and fine tuning when you use the IIS Lockdown Wizard in an Exchange 2000 Server environment

This article describes the Internet Information Services (IIS) Lockdown Wizard version 2 found on the Microsoft Security Tool Kit CD and Version 2.1 found on the Web. After you install the IIS Lockdown Wizard by using the Microsoft Exchange 2000 Server template, you can make changes to "fine tune" and further secure your server, depending on the server role. For example, if your Exchange 2000 servers are dedicated to providing only Microsoft Outlook Web Access (OWA), Instant Messaging, public folder administration, or Web folders, you can remove settings that are not necessary for those respective services.

NOTE: Unless otherwise specified, the settings in this article apply to Exchange 2000.

Known Issues

The default configuration of the IIS Lockdown Wizard is based on security settings that allow most Exchange 2000 components' functionality. For additional information, view the IIS Lockdown Wizard Help file.

The following sections contain scenarios that you might encounter and information about how to correct issues that might occur. Each section refers to a component that might be affected and also specifies the Urlscan.ini file section that you need to modify. The Urlscan.ini file is located in the following folder:

General Settings

• Allow Dot In Path. Make sure that this setting is set to "1" to ensure that Outlook Web Access attachments can be accessed and that earlier-version browsers can use Outlook Web Access. Earlier-version browsers include Microsoft Internet Explorer 5 for Macintosh and earlier, Microsoft Internet Explorer 4.x for Windows 95 and earlier, Microsoft Internet Explorer 4.01 Service Pack 2 for Windows 98 and earlier, and Netscape Navigator.
  
  This issue also affects public folder management. Public folder management uses HTTPDAV (similar to Outlook Web Access). You need to make this change to any servers that contain public folder stores. You do not have to make this change on computers that administer these folders unless public folder stores exist on those computers.

Outlook Web Access for Exchange 2000 Server

• File Extensions. By default, .htr files are disabled. If this file type is disabled, the Outlook Web Access Change Password feature does not function. For more information about the process to hide the Change Password button in Outlook Web Access, click the following article number to view the article in the Microsoft Knowledge Base:
  297121 How to hide the "Change Password" button on the Outlook Web Access Options page
• Deny Url Sequences. In the [DenyUrlSequences] section, sequences that are explicitly blocked can potentially affect access to Outlook Web Access. Any mail item subject or mail folder name that contains any of the following character sequences is denied access:
  • ..
  • ./
  • \
  • %
  • &
  For example, the following folder does not work because the Projects mailbox folder contains a trailing period, which is excluded because of the explicit deny for "./":
  /Server/Exchange/My Folders/Projects./Costings.eml
  The following folder also does not work, because of the explicit deny of "..", which prevents directory traversals:
  /Server/Exchange/Inbox/My .. message.eml
  If you encounter any additional issues when you attempt Outlook Web Access requests with Urlscan enabled, check the Urlscan.log file for the list of requests that are being rejected. The location of the Urlscan.log file is:
  WinDir\System32\Inetsrv\Urlscan

Outlook Web Access for Exchange Server 5.5

• Change Password. If you have already run the IIS Lockdown Wizard against your Exchange Server 5.5 Outlook Web Access server with all of the options selected, to restore the change password functionality:
  1. Re-create the Iisadmpwd virtual directory that was deleted. For more information about how to re-create the Iisadmpwd virtual directory, click the following article number to view the article in the Microsoft Knowledge Base:
     301428 Troubleshooting Outlook Web Access from an IIS perspective
  2. By default, the mappings for .htr files are also removed. Restore the mappings for .htr files:
     1. Start Internet Services Manager.
     2. Right-click the Default Web Site, and then click Properties.
     3. Click the Home Directory tab, and then click Configuration.
     4. Click the .htr mapping, and then click Edit. The IIS Lockdown Wizard updates this mapping to 404.dll. Change the mapping to ism.dll.
     5. Click OK to close the properties.
  3. Check the Urlscan.ini file. Make sure that the .htr extension is in the AllowExtensions section and that it is removed from the DenyExtensions section.
     
     Note Make sure that the .htr extension is not in the section of the .ini called Deny infrequently used scripts. For more information, see the "Public Folder Management" section of this article.

Instant Messaging

• Allow Verbs. Make sure that "ACL" and "NOTIFY" are added to the [AllowVerbs] section. For more information about the verbs that Instant Messaging uses, click the following article number to view the article in the Microsoft Knowledge Base:
  298421 How to interpret Instant Messaging methods and response codes

Public Folder Management

• Deny Extensions. You must remove .com in the [DenyExtensions] section of the Urlscan.ini list if your internal Domain Name System (DNS) is based on the .com naming convention.

Fine Tuning Exchange 2000 Servers

This section contains configuration information for the following components:

• Outlook Web Access
• Exchange System Manager
• Instant Messaging
• Web folders

During installation, the IIS Lockdown Wizard assumes that multiple services are installed on a single Exchange 2000 server. Therefore, to further secure your server, you need to edit the configuration file to remove any extraneous functionality. In most cases, you need to remove verbs in the [AllowVerbs] section of the Urlscan.ini file. However, it is important that you make sure that the recommended verbs are included, to ensure appropriate functionality.

To edit the configuration file, open the Urlscan.ini file in the following location: Then modify the Urlscan.ini file based on the Exchange 2000 server role.

If you encounter additional issues when you attempt Outlook Web Access requests with Urlscan enabled, check the Urlscan.log file for the list of requests that are being rejected. The default location of the Urlscan.log file is:

Outlook Web Access

The following is a list of verbs that are required in the [AllowVerbs] section for Outlook Web Access:

• GET
• POST
• SEARCH
• POLL
• PROPFIND
• BMOVE
• BCOPY
• SUBSCRIBE
• MOVE
• PROPPATCH
• BPROPPATCH
• DELETE
• BDELETE
• MKCOL

Instant Messaging

The following is a list of verbs that are required in the [AllowVerbs] section for Instant Messaging:

• SUBSCRIBE
• UNSUBSCRIBE
• SUBSCRIPTIONS
• NOTIFY
• POLL
• PROPFIND
• PROPPATCH
• ACL

Public Folder Management

The following is a list of verbs that are required in the [AllowVerbs] section for public folder management:

• HEAD
• PROPFIND
• SEARCH
• PROPPATCH
• DELETE
• MKCOL
• MOVE
• COPY
• OPTIONS

Web Folders

The following is a list of verbs that are required in the [AllowVerbs] section for Web folders:

• GET
• PROPFIND
• MOVE
• BCOPY
• DELETE
• BDELETE
• MKCOL
• OPTIONS
• LOCK
• UNLOCK
• PUT

Add the following to the Deny URL sequence section: