urlscan config questions

Hi,

A few questions about the urlscan utility. I want to apply it to a website
on Windows 2000 SP4 with IIS 5.0. The specific change needed is disabling
HTTP TRACE. I couldn't seem to find these answers elsewhere.

1) There are several sites on the server. How can I apply the urlscan
change(s) to just one of them?

2) Do I strip the .ini file of all sections except [denyverbs]? I don't
want to cause any other changes at all.

3) Since [allowverbs] and [denyverbs] are mutually exclusive, how do I allow
GET, HEAD, and POST while denying HTTP TRACE?

4) Backing out: will uninstalling urlscan reset IIS to it's previous settings?

Thanks,

Jeff

Re: urlscan config questions

"Jeff D @ PSU" wrote in message
news:3F87E0B4-5DD0-4C95-B4C0-62B5DE72B777@microsoft.com...
> Hi,
>
> A few questions about the urlscan utility. I want to apply it to a
> website
> on Windows 2000 SP4 with IIS 5.0. The specific change needed is disabling
> HTTP TRACE. I couldn't seem to find these answers elsewhere.
>
> 1) There are several sites on the server. How can I apply the urlscan
> change(s) to just one of them?
>

You cannot. You might find some very old archived pages
on the net indicating this is possible, but it is not. Only one
urlscan.ini file is read and applied to all site that are subjected
to urlscan. You can exempt a site from urlscan by not having
the isapi module listed for the site, but you cannot use urlscan
with multiple sites except with the same settings for them all.

> 2) Do I strip the .ini file of all sections except [denyverbs]? I don't
> want to cause any other changes at all.
>
I have never tried that, but think you probably need to, and
know you should want to, leave more than that in there.

> 3) Since [allowverbs] and [denyverbs] are mutually exclusive, how do I
> allow
> GET, HEAD, and POST while denying HTTP TRACE?
>
State what you want to allow, and anything not listed is not allowed.
Using denyverbs means everything is allowed except the denied.

> 4) Backing out: will uninstalling urlscan reset IIS to it's previous
> settings?
>
Urlscan does not change IIS whatsoever, except for naming the dll as
an isapi filter on the sites affected.

Re: urlscan config questions

Thanks, Roger!!

"Roger Abell [MVP]" wrote:

> "Jeff D @ PSU" wrote in message
> news:3F87E0B4-5DD0-4C95-B4C0-62B5DE72B777@microsoft.com...
> > Hi,
> >
> > A few questions about the urlscan utility. I want to apply it to a
> > website
> > on Windows 2000 SP4 with IIS 5.0. The specific change needed is disabling
> > HTTP TRACE. I couldn't seem to find these answers elsewhere.
> >
> > 1) There are several sites on the server. How can I apply the urlscan
> > change(s) to just one of them?
> >
>
> You cannot. You might find some very old archived pages
> on the net indicating this is possible, but it is not. Only one
> urlscan.ini file is read and applied to all site that are subjected
> to urlscan. You can exempt a site from urlscan by not having
> the isapi module listed for the site, but you cannot use urlscan
> with multiple sites except with the same settings for them all.
>
> > 2) Do I strip the .ini file of all sections except [denyverbs]? I don't
> > want to cause any other changes at all.
> >
> I have never tried that, but think you probably need to, and
> know you should want to, leave more than that in there.
>
> > 3) Since [allowverbs] and [denyverbs] are mutually exclusive, how do I
> > allow
> > GET, HEAD, and POST while denying HTTP TRACE?
> >
> State what you want to allow, and anything not listed is not allowed.
> Using denyverbs means everything is allowed except the denied.
>
> > 4) Backing out: will uninstalling urlscan reset IIS to it's previous
> > settings?
> >
> Urlscan does not change IIS whatsoever, except for naming the dll as
> an isapi filter on the sites affected.
>
>
>

Re: urlscan config questions

1. You can apply URLScan per-site, but it is not supported with many
caveats. Unless you know the caveats already, you should not apply per-
site.

URLScan is an ISAPI Filter whose effects apply to whatever website(s)
the filter is configured. Each instance of URLScan reads its
configuration from the same directory as the loaded DLL. The installer
only installs one copy of URLScan.dll and configures it to apply
globally for all websites.

Putting 1+1 together, it means that by default, the installer only
installs one copy of the URLScan.dll at one location and configures it
to apply globally for all websites - hence only one URLScan.ini
setting per server. However, knowing the nature of URLScan.dll, it is
possible to have multiple copies of URLScan.dll in different locations
with different INI files alongside each DLL file, and per-website
configuration of different URLScan DLLs. This is the lowest
granularity - you can't have one URLScan setting for /dir1 and another
set for /dir2 because the same URLScan ISAPI Filter DLL will be loaded
for both dirs of the website, so they will have the same settings
applied.

Of course, this configuration is totally unsupported and no Microsoft
URLScan installer will deal with it, so you have to know what you are
doing. And I haven't even mentioned all the other relevant details...
so you have been warned to attempt this at your own risk! ;-)


2. No. Stripping the .ini file does not do what you want.

URLScan reads configuration for all its settings from the URLScan.ini.
If it does not find a particular setting or if URLScan.ini is missing,
URLScan has a hard-coded set of default values for each of its
features, and the behavior does NOT match "no other changes".

There is no way to install URLScan to simply deny TRACE for one
website and cause no other behavior change. You have to understand and
configure all its features appropriately - the defaults favor security
over functionality. This is consistent with security practices since
it is pointless to put a guard dog by the front door if the back door
is still wide open.

3. Your question is ambiguous. You stated you want to allow GET, HEAD,
POST and deny TRACE, but what about PROPFIND? MOVE? DEBUG? BAD-VERB?

[allowverbs] means "allow the following and deny all else"
[denyverbs] means "deny the following and allow all else"
This is documented within URLScan.ini

If you want to just deny TRACE and allow everything else, then you
choose [denyverbs]=TRACE

If you want to allow GET, HEAD, POST and deny all else (including
TRACE), then choose [allowverbs]=GET,HEAD,POST


4. URLScan does not alter any other IIS settings (other than ISAPI
Filters configuration), so it is completely context-free to uninstall/
reinstall.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Mar 20, 3:38 am, Jeff D @ PSU P...@discussions.microsoft.com> wrote:
> Hi,
>
> A few questions about the urlscan utility. I want to apply it to a website
> on Windows 2000 SP4 with IIS 5.0. The specific change needed is disabling
> HTTP TRACE. I couldn't seem to find these answers elsewhere.
>
> 1) There are several sites on the server. How can I apply the urlscan
> change(s) to just one of them?
>
> 2) Do I strip the .ini file of all sections except [denyverbs]? I don't
> want to cause any other changes at all.
>
> 3) Since [allowverbs] and [denyverbs] are mutually exclusive, how do I allow
> GET, HEAD, and POST while denying HTTP TRACE?
>
> 4) Backing out: will uninstalling urlscan reset IIS to it's previous settings?
>
> Thanks,
>
> Jeff