How to use URLScan with FrontPage 2002

Use this step-by-step guide to install and configure the URLScan utility for Microsoft Internet Information Services (IIS). You can download URLScan from the Microsoft Web site by using the steps in this article. After you install URLScan, your Web server will be more secure.

Downloading And Installing URLScan

To install new software and be able to stop or restart Web services, you need to be logged on to your Web server. Therefore, to install the URLScan utility, log on to your Web server as an administrator, and then follow these steps:

1. Download the URLScan utility. To do this, visit the following Microsoft Web site:
   URLScan Security Tool
2. Click Download Now.
3. Click Save this program to disk, and then click OK.
4. Choose your Desktop as the location to save the file, and then click Save.
5. Quit your browser.
6. Double-click the Urlscan.exe file.
7. Read the End-user License Agreement (EULA). If you accept the terms of the EULA, click Yes.
8. If you are prompted to restart IIS, click Yes.
9. If you receive a message telling you that installation is completed, click OK.

Modifying the Default URLScan Configuration File

Because the default configuration for URLScan may interfere with FrontPage functionality, you need to make changes that allow FrontPage to work correctly and yet deny access to sensitive FrontPage files. These steps are only a suggestion. For additional information about settings for URLScan, see the "References" section later in this article.

1. Right-click the Start menu, and then click Explore. Locate the following folder:
   %windir%\system32\inetsrv\urlscan
   where %windir% is your Windows folder (for example, C:\Windows or C:\Winnt).
2. Right-click the Urlscan.ini file, and then click Copy. Right-click in the folder, and then click Paste. A copy of the file named, Copy of Urlscan.ini is created.
3. Double-click the Urlscan.ini file. The file opens in Notepad.
4. Make the following changes:
   1. In the [options] section, set the following values:

      [options]
      UseAllowVerbs=1          ; use the [AllowVerbs] section
      UseAllowExtensions=0     ; use the [DenyExtensions] section
      NormalizeUrlBeforeScan=1 ; canonicalize URL before processing
      VerifyNormalization=1    ; canonicalize URL twice, reject on change
      AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters 
      AllowDotInPath=0         ; deny dots in path
      EnableLogging=1          ; log activity
      PerDayLogging=1          ; change log files daily
      PerProcessLogging=0      ; do not change log files by process ID
      RemoveServerHeader=0     ; do not remove "Server" header
      AlternateServerName=
      UseFastPathReject=0      ; use RejectResponseUrl or log the request
      RejectResponseUrl=
      AllowLateScanning=1      ; allow URLScan to be loaded low priority
      						

   2. In the [AllowVerbs] section, use the following values only. Do not include other values.

      [AllowVerbs]
      GET     ; allow GET (most Web requests)
      HEAD    ; allow HEAD requests
      OPTIONS ; allow OPTIONS (Web Folders need this)
      POST    ; allow POST (FPSE and HTML forms need this)
      						

   3. In the [DenyHeaders] section, use the following values only. Do not include other values.

      [DenyHeaders]
      If:         ; deny (used with WebDAV)
      Lock-Token: ; deny (used with WebDAV)
      						

   4. In the [DenyExtensions] section set the following values:

      [DenyExtensions]
      .asa     ; deny active server application definition files
      .bat     ; deny batch files
      .btr     ; deny FrontPage dependency files
      .cer     ; deny x509 certificate files
      .cdx     ; deny dynamic channel definition files
      .cmd     ; deny batch files
      .cnf     ; deny FrontPage metadata files
      .com     ; deny server command-line applications
      .dat     ; deny data files
      .evt     ; deny Event Viewer logs
      .exe     ; deny server command-line applications
      .htr     ; deny IIS legacy HTML admin tool
      .htw     ; deny Index Server hit-highlighting
      .ida     ; deny Index Server legacy HTML admin tool
      .idc     ; deny IIS legacy database query files
      .inc     ; deny include files
      .ini     ; deny configuration files
      .ldb     ; deny Microsoft Access Record-Locking Information files
      .log     ; deny log files
      .pol     ; deny policy files
      .printer ; deny Internet Printing Services
      .sav     ; deny backup registry files
      .shtm    ; deny IIS Server Side Includes
      .shtml   ; deny IIS Server Side Includes
      .stm     ; deny IIS Server Side Includes
      .tmp     ; deny temporary files
      						

   5. In the [DenyUrlSequences] section, set the following values:

      [DenyUrlSequences]
      ..         ; deny directory traversals
      ./         ; deny trailing dot on a directory name
      \          ; deny backslashes in URL
      :          ; deny alternate stream access
      %          ; deny escaping after normalization
      &          ; deny multiple CGI processes to run on a single request
      /fpdb/     ; deny browse access to FrontPage database files
      /_private  ; deny FrontPage private files (often form results)
      /_vti_pvt  ; deny FrontPage Web configuration files
      /_vti_cnf  ; deny FrontPage metadata files
      /_vti_txt  ; deny FrontPage text catalogs and indices
      /_vti_log  ; deny FrontPage authoring log files
      						

   6. Because these settings do not use the [DenyVerbs] and [AllowExtensions] sections, no settings for these sections are included in this article. For additional information about these sections of the configuration file, click the following article number to view the article in the Microsoft Knowledge Base:
      307608 Using URLScan on IIS
5. Save the file and quit Notepad.

Changing The URLScan Priority (Optional)

The default priority for the URLScan utility in IIS is high. A high priority may interfere with other Internet Server Application Programming Interface (ISAPI) filters that need to perform tasks before URLScan is called. The FrontPage Server Extensions (Fpexedll.dll) ISAPI filter is one such filter. Although the information in this section explains how to configure URLScan to load after the Fpexedll.dll ISAPI filter, you can easily adapt this procedure to configure URLScan with other ISAPI filters. For more information, refer to the documentation for the ISAPI filter you are using.

NOTE: Before you can complete the following procedure, you need to correctly set the AllowLateScanning=1 setting in the Urlscan.ini file to load URLScan as a low priority filter. To do this, follow the procedure in the "Modifying the Default URLScan Configuration File" section earlier in this article.

1. Start the Internet Services Manager. To do this, follow the steps appropriate to your version of IIS:
   • In IIS 4.0:
     1. On the Windows Start menu, point to Programs, and then click Windows NT 4.0 Option Pack.
     2. Click Microsoft Internet Information Server.
     3. Select Internet Service Manager.
   • In IIS 5.0:
     1. On the Windows Start menu, point to Programs, and then click Administrative Tools.
     2. Select Internet Services Manager.
   • In IIS 5.1:
     1. On the Windows Start menu, click Control Panel.
     2. Double-click Administrative Tools.
     3. Double-click Internet Information Services.
2. Right-click your server name, and then click Properties.
3. Select the WWW Service master properties option, and then click the Edit button.
4. Click the ISAPI Filters tab.
5. Click UrlScan, and then click the Down button to move UrlScan below Fpexedll.dll.
6. Click OK.
7. Click OK again.

Restarting IIS to Update URLScan

When IIS starts, URLScan is loaded into memory and reads the settings in the Urlscan.ini file. Therefore, you need to restart IIS so that the new configuration settings take effect. To do this, follow the steps appropriate to your version of IIS:

• In IIS 4.0:
  1. At a command prompt, type the following command:
     NET STOP "IIS Admin Service" /Y
  2. If you see several dependant services listed as they are stopped, write down the names so that you can restart these services later.
  3. When you see the following message
     The IIS Admin Service service was stopped successfully.
     restart each IIS service by name. To do this, type the following commands at the command prompt, pressing ENTER after each line:
     NET START "World Wide Web Publishing Service"
     NET START "Simple Mail Transport Protocol (SMTP)"
     NET START "FTP Publishing Service"
  4. Quit the command prompt.
• In IIS 5.0:
  1. Right-click My Computer, and then click Restart IIS.
  2. Click Restart Internet Services on Your Computer.
  3. Click OK.
• In IIS 5.1:
  1. Right-click My Computer, point to All Tasks, and then click Restart IIS.
  2. Click Restart Internet Services on Your Computer.
  3. Click OK.

TROUBLESHOOTING

• The settings listed in the "Modifying the Default URLScan Configuration" section earlier in this article specify the EnableLogging=1 setting in the [Options] section of the Urlscan.ini file. This allows URLScan to keep a running log of all URLScan activity. This log file is saved in the same folder as the Urlscan.dll file. If you encounter any difficulties with FrontPage or other IIS functionality while URLScan is enabled, review the most recent entries in the log file for information about what requests are being rejected.
• If you make further changes to the Urlscan.ini file, create copies of the existing Urlscan.ini file naming the files Urlscan.001, Urlscan.002, and so on, so that you have a history of the changes you have made. This helps prevent losing a good configuration when attempting to implement a new security configuration.
• If changes you make to URLScan do not seem to take effect, repeat the procedure to restart the IIS services. If the changes still do not take effect, reboot your Web server.

For additional information about installing and configuring the URLScan utility, click the following article numbers to view the articles in the Microsoft Knowledge Base: