How to disable HTTP trace in IIS 5

How to disable HTTP trace in IIS 5

am 12.04.2007 05:24:01 von yklee

i'm not familiar with iis or http and its jargon. my iis5 server (windows
2000 sp4) is currently hosting our website & owa. it is a requirement to
ensure that the http trace is disabled on the server. i have try but still
could not understand what or how to configure the urlscan.ini to just disable
the http trace, without affecting any other things. i know in ii6 (windows
2003), i can do that through the registry. is there any reference document or
anyone that can enlighten or guide me on how to go about it in iis5 (windows
2000 sp4).

Re: How to disable HTTP trace in IIS 5

am 12.04.2007 05:32:52 von Ken Schaefer

You can use URLScan to block HTTP Trace verb

http://support.microsoft.com/?id=326444
How to configure the URLScan Tool

If you just want to deny trace verb, then in the [DenyVerbs] section add
"Trace". Alternatively if you want to use [AllowVerbs] then you need to add
every verb you want to allow (e.g GET, POST, HEAD) and you don't need to do
anything else (since everything else is denied by default)

Cheers
Ken

"yklee" wrote in message
news:62E598D1-44E3-4CF1-B33A-D789D3A9C47C@microsoft.com...
> i'm not familiar with iis or http and its jargon. my iis5 server (windows
> 2000 sp4) is currently hosting our website & owa. it is a requirement to
> ensure that the http trace is disabled on the server. i have try but still
> could not understand what or how to configure the urlscan.ini to just
> disable
> the http trace, without affecting any other things. i know in ii6
> (windows
> 2003), i can do that through the registry. is there any reference document
> or
> anyone that can enlighten or guide me on how to go about it in iis5
> (windows
> 2000 sp4).

Re: How to disable HTTP trace in IIS 5

am 12.04.2007 10:40:04 von yklee

currently i do not use urlscan on my web server. can i just use the urlscan
to deny the trace verb without denying what's running in my web server? can i
do that by removing the entries that i don't need in the urlscan.ini?

"Ken Schaefer" wrote:

> You can use URLScan to block HTTP Trace verb
>
> http://support.microsoft.com/?id=326444
> How to configure the URLScan Tool
>
> If you just want to deny trace verb, then in the [DenyVerbs] section add
> "Trace". Alternatively if you want to use [AllowVerbs] then you need to add
> every verb you want to allow (e.g GET, POST, HEAD) and you don't need to do
> anything else (since everything else is denied by default)
>
> Cheers
> Ken
>
> "yklee" wrote in message
> news:62E598D1-44E3-4CF1-B33A-D789D3A9C47C@microsoft.com...
> > i'm not familiar with iis or http and its jargon. my iis5 server (windows
> > 2000 sp4) is currently hosting our website & owa. it is a requirement to
> > ensure that the http trace is disabled on the server. i have try but still
> > could not understand what or how to configure the urlscan.ini to just
> > disable
> > the http trace, without affecting any other things. i know in ii6
> > (windows
> > 2003), i can do that through the registry. is there any reference document
> > or
> > anyone that can enlighten or guide me on how to go about it in iis5
> > (windows
> > 2000 sp4).
>
>

Re: How to disable HTTP trace in IIS 5

am 12.04.2007 15:39:22 von Ken Schaefer

Yes, you can do that.

I don't believe that IIS 5.0 has any inbuilt ability to "disable" any HTTP
verbs (except for ISAPI extensions, where you can choose which verbs are
permitted). URLScan is a high priority ISAPI filter, so it can load before
anything else, and you can block TRACE verb there.

You can, if you want, remove all other entries, and that will only block
trace. Please read the instructions in the KB article posted first though!

Cheers
Ken


"yklee" wrote in message
news:814DDBEF-7438-4F4C-B8F2-331BBEFE838D@microsoft.com...
> currently i do not use urlscan on my web server. can i just use the
> urlscan
> to deny the trace verb without denying what's running in my web server?
> can i
> do that by removing the entries that i don't need in the urlscan.ini?
>
> "Ken Schaefer" wrote:
>
>> You can use URLScan to block HTTP Trace verb
>>
>> http://support.microsoft.com/?id=326444
>> How to configure the URLScan Tool
>>
>> If you just want to deny trace verb, then in the [DenyVerbs] section add
>> "Trace". Alternatively if you want to use [AllowVerbs] then you need to
>> add
>> every verb you want to allow (e.g GET, POST, HEAD) and you don't need to
>> do
>> anything else (since everything else is denied by default)
>>
>> Cheers
>> Ken
>>
>> "yklee" wrote in message
>> news:62E598D1-44E3-4CF1-B33A-D789D3A9C47C@microsoft.com...
>> > i'm not familiar with iis or http and its jargon. my iis5 server
>> > (windows
>> > 2000 sp4) is currently hosting our website & owa. it is a requirement
>> > to
>> > ensure that the http trace is disabled on the server. i have try but
>> > still
>> > could not understand what or how to configure the urlscan.ini to just
>> > disable
>> > the http trace, without affecting any other things. i know in ii6
>> > (windows
>> > 2003), i can do that through the registry. is there any reference
>> > document
>> > or
>> > anyone that can enlighten or guide me on how to go about it in iis5
>> > (windows
>> > 2000 sp4).
>>
>>