| Author |
NormalizeUrlBeforeScan = 0 - Impact in SSL environment
|
|
| Richard 2004-12-04, 6:03 pm |
| Our OWA front end servers that are in DMZ have Verisign certificates and
users login using only SSL authentication.
In this situation can we safely have normalizeUrlBeforeScan=0 since no other
attacker could login to OWA server to view the URL of our domain/directories.
Ofcourse one within organization can be an attacker, but with IP address we
can catch him.
I'm new to this URLscan concept and all I need is unblock + so users can
read emails with + in subject field.
I've been trying to resolve this for couple of days and so far I yet to
receive some help.
Thanks for your input in advance.
| |
| Miha Pihler 2004-12-04, 6:03 pm |
| Hi Richard,
Microsoft has few articles on applying URLScan to Exchange server that
should help you out.
Fine-tuning and known issues when you use the Urlscan utility in an Exchange
2003 environment
http://support.microsoft.com/defaul...kb;en-us;823175 (this article
includes sample of URLScan.ini file that works with OWA)
The URLScan tool may cause problems in Outlook Web Access
http://support.microsoft.com/kb/325965
I hope this helps,
Mike
"Richard" <Richard@discussions.microsoft.com> wrote in message
news:606EA1D8-69D7-4414-B2BF-145F38F6FF8B@microsoft.com...
> Our OWA front end servers that are in DMZ have Verisign certificates and
> users login using only SSL authentication.
>
> In this situation can we safely have normalizeUrlBeforeScan=0 since no
> other
> attacker could login to OWA server to view the URL of our
> domain/directories.
> Ofcourse one within organization can be an attacker, but with IP address
> we
> can catch him.
>
> I'm new to this URLscan concept and all I need is unblock + so users can
> read emails with + in subject field.
>
> I've been trying to resolve this for couple of days and so far I yet to
> receive some help.
>
> Thanks for your input in advance.
| |
| Richard 2004-12-04, 6:03 pm |
| Thanks Mike.
I have looked at all forums and MS articles articles before I posted this
msg about 'if its safe to turn off normalization in SSL environments'.
There is no way I can turn off "+" in 'denyurlsequences' without Turning off
normalizebeforeurlscan. its because urlscan looks at 'denyurlsequences' AFTER
it normalizes. So i want some input to see if I can turn off normalization
particularly in SSL environments where its comparatively safer and no
attacker logins without SSL authentication.
The article you mentioned has only 'allowverbs' section of urlscan.ini for
exchange owa.
I tried all the templates that has 'denyurlsequences' looks like:
[DenyUrlSequences]
... ; Do not permit directory traversals.
../ ; Do not permit trailing dot on a directory name.
\ ; Do not permit backslashes in URL.
% ; Do not permit escaping after normalization.
& ; Do not permit multiple Common Gateway Interface processes to run on a
single request.
BUT believe this doesNOT help me ALLOW "+" characters so long normalization
turned off.
It seems there is no solution to unblock + character. :-(
"Miha Pihler" wrote:
> Hi Richard,
>
> Microsoft has few articles on applying URLScan to Exchange server that
> should help you out.
>
> Fine-tuning and known issues when you use the Urlscan utility in an Exchange
> 2003 environment
> http://support.microsoft.com/defaul...kb;en-us;823175 (this article
> includes sample of URLScan.ini file that works with OWA)
>
> The URLScan tool may cause problems in Outlook Web Access
> http://support.microsoft.com/kb/325965
>
> I hope this helps,
>
> Mike
>
> "Richard" <Richard@discussions.microsoft.com> wrote in message
> news:606EA1D8-69D7-4414-B2BF-145F38F6FF8B@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-12-05, 2:47 am |
| Microsoft is quite specific when it comes to + sign:
**************************************
; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with
URLScan installed may need to modify the "VerifyNormalization=1"
; option in this template to be "VerifyNormalization=0" if they encounter a
"404" error when attempting to open messages or items that contain
; the "+" symbol in the subject or name.
**************************************
Mike
"Richard" <Richard@discussions.microsoft.com> wrote in message
news:8AEA87B4-AF44-4544-9861-D21808B7015A@microsoft.com...[vbcol=seagreen]
> Thanks Mike.
>
> I have looked at all forums and MS articles articles before I posted this
> msg about 'if its safe to turn off normalization in SSL environments'.
>
> There is no way I can turn off "+" in 'denyurlsequences' without Turning
> off
> normalizebeforeurlscan. its because urlscan looks at 'denyurlsequences'
> AFTER
> it normalizes. So i want some input to see if I can turn off normalization
> particularly in SSL environments where its comparatively safer and no
> attacker logins without SSL authentication.
>
> The article you mentioned has only 'allowverbs' section of urlscan.ini for
> exchange owa.
>
> I tried all the templates that has 'denyurlsequences' looks like:
> [DenyUrlSequences]
> .. ; Do not permit directory traversals.
> ./ ; Do not permit trailing dot on a directory name.
> \ ; Do not permit backslashes in URL.
> % ; Do not permit escaping after normalization.
> & ; Do not permit multiple Common Gateway Interface processes to run on
> a
> single request.
>
> BUT believe this doesNOT help me ALLOW "+" characters so long
> normalization
> turned off.
>
> It seems there is no solution to unblock + character. :-(
>
> "Miha Pihler" wrote:
>
| |
| Richard 2004-12-05, 5:51 pm |
| Mike,
I appreciate you narrowing down to exactly what I need.
I didnt' quite understand though what Microsoft is quite specific on, when
it comes to + (do you have any article)?
Also I need the webpage or MS article number where you took "NOTE" excerpts
from, to show my managers to get approval to put "VerifyNormalization" as 0
Thank again for your help!
"Miha Pihler" wrote:
> Microsoft is quite specific when it comes to + sign:
>
> **************************************
> ; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with
> URLScan installed may need to modify the "VerifyNormalization=1"
> ; option in this template to be "VerifyNormalization=0" if they encounter a
> "404" error when attempting to open messages or items that contain
> ; the "+" symbol in the subject or name.
> **************************************
>
> Mike
>
> "Richard" <Richard@discussions.microsoft.com> wrote in message
> news:8AEA87B4-AF44-4544-9861-D21808B7015A@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-12-05, 5:51 pm |
| http://support.microsoft.com/defaul...kb;en-us;823175
Mike
"Richard" <Richard@discussions.microsoft.com> wrote in message
news:77FC5B55-D847-4EEA-BC3B-10833421206E@microsoft.com...[vbcol=seagreen]
> Mike,
>
> I appreciate you narrowing down to exactly what I need.
> I didnt' quite understand though what Microsoft is quite specific on, when
> it comes to + (do you have any article)?
>
> Also I need the webpage or MS article number where you took "NOTE"
> excerpts
> from, to show my managers to get approval to put "VerifyNormalization" as
> 0
>
> Thank again for your help!
>
> "Miha Pihler" wrote:
>
| |
| Wade A. Hilmo [MS] 2004-12-06, 5:51 pm |
| Hi Mike and Richard,
I'd just like to add one thing here and point out that you should not ever
set NormalizeUrlBeforeScan=0 on a production web server.
To see the reason why, you can see my post from April 29, 2003 at 10:47am
from the following post. Note that Google is currently making some changes
to their usenet archives, so you may need to search through the page to find
the specific post that I made.
http://groups-beta.google.com/group...%26&_doneTitle=
Back+to+Search&&d#80dcec944fcc2c0c
Thank you,
-Wade A. Hilmo,
-Microsoft
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:elWXDwx2EHA.2608@TK2MSFTNGP10.phx.gbl...
> http://support.microsoft.com/defaul...kb;en-us;823175
>
> Mike
>
> "Richard" <Richard@discussions.microsoft.com> wrote in message
> news:77FC5B55-D847-4EEA-BC3B-10833421206E@microsoft.com...
when[vbcol=seagreen]
as[vbcol=seagreen]
with[vbcol=seagreen]
encounter[vbcol=seagreen]
environments'.[vbcol=seagreen]
'denyurlsequences'[vbcol=seagreen]
urlscan.ini[vbcol=seagreen]
run[vbcol=seagreen]
that[vbcol=seagreen]
certificates[vbcol=seagreen]
since[vbcol=seagreen]
users[vbcol=seagreen]
yet[vbcol=seagreen]
>
>
|
|
|
|