Urlscan 2.5 question

Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > Urlscan 2.5 question

Last Thread Next Thread Next

Urlscan 2.5 question

winsysadmin

07-14-06 06:19 PM

Will installing Urlscan on IIS 4 & IIS 5 servers protect them from
Trace/Track vulnerabilities by default or do I need to configure Urlscan to
do this?

Thanks!

[ Post a follow-up to this message ]

Re: Urlscan 2.5 question

David Wang [Msft]

07-15-06 06:21 AM

Depends on the configuration specified in URLScan.ini.

I suggest you read it and determine for yourself. You will have to do this
because you must know:
1. Exact resource that you are trying to secure
2. What vectors are able to attack that resource
3. What knobs can be tweaked in what way to address the vector

You have to take responsibility to know and configure all of them. Security
is a journey, not destination.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"winsysadmin" <winsysadmin@discussions.microsoft.com> wrote in message
news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com...
> Will installing Urlscan on IIS 4 & IIS 5 servers protect them from
> Trace/Track vulnerabilities by default or do I need to configure Urlscan
> to
> do this?
>
> Thanks!

[ Post a follow-up to this message ]

Re: Urlscan 2.5 question

Bernard Cheah [MVP]

07-15-06 12:23 PM

What kind of Trace/Track vulnerabilities ?

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"winsysadmin" <winsysadmin@discussions.microsoft.com> wrote in message
news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com...
> Will installing Urlscan on IIS 4 & IIS 5 servers protect them from
> Trace/Track vulnerabilities by default or do I need to configure Urlscan
> to
> do this?
>
> Thanks!

[ Post a follow-up to this message ]

Re: Urlscan 2.5 question

karl levinson, mvp

07-16-06 06:19 PM

"winsysadmin" <winsysadmin@discussions.microsoft.com> wrote in message
news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com...
> Will installing Urlscan on IIS 4 & IIS 5 servers protect them from
> Trace/Track vulnerabilities by default or do I need to configure Urlscan
> to
> do this?

I don't think there is one single default.  I believe there are several,
ones for OWA on Exchange server, etc., so that you could get different
default settings depending on how you install URLScan.

After installing urlscan, edit the urlscan.ini and read the sections on
[blockverbs] and [allowverbs].  Only one of those two sections is ac
tive at
a time, depending on the UseAllowVerbs setting in that file.

http://support.microsoft.com/Default.aspx?kbid=326444
http://securityadmin.info/faq.asp?urlscan

According to the first article above, it appears that AllowVerbs is the
default.  So if Trace and Track are not in the AllowVerbs section, and I
expect that they would probably not be,

Trace and Track are largely theoretical vulnerabilities.  Unless there is a
known unpatched exploit against them, and I'm not sure there are any at the
moment, they usually only give a small amount of information, not remote
compromise of the server.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info

[ Post a follow-up to this message ]

Re: Urlscan 2.5 question

Wade A. Hilmo [MS]

07-17-06 06:19 PM

Hello,

UrlScan does have a single default that is built into the dll.  The built-in
defaults are the same values that exist in the UrlScan.ini file that
installs with the UrlScan installer at the following location:

http://www.microsoft.com/technet/se...ls/urlscan.mspx

To answer the original question, by default, UseAllowVerbs is 1, and the
[AllowVerbs] section contains GET, HEAD, and POST.  Based on these setti
ngs,
UrlScan will reject any TRACE or TRACK requests, as well as any other HTTP
verbs other than GET, HEAD, or POST.

The other flavors of UrlScan configuration (such as OWA) that you refer to
below are part of the Lockdown tool installer.  They apply non-default
configuration settings that are appropriate to the template chosen.  The
Lockdown tool is only related to UrlScan as an installer.  UrlScan was
developed before and completely independent of the Lockdown tool.

I hope this helps to clarify.

Thank you,
-Wade A. Hilmo,
-Microsoft

"karl levinson, mvp" <levinson_k@securityadmin.info> wrote in message
news:OGFQObNqGHA.4924@TK2MSFTNGP04.phx.gbl...
> "winsysadmin" <winsysadmin@discussions.microsoft.com> wrote in message
> news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com... 
>
> I don't think there is one single default.  I believe there are several,
> ones for OWA on Exchange server, etc., so that you could get different
> default settings depending on how you install URLScan.
>
> After installing urlscan, edit the urlscan.ini and read the sections on
> [blockverbs] and [allowverbs].  Only one of those two sections is active[/
vbcol]
at[vbcol=seagreen]
> a time, depending on the UseAllowVerbs setting in that file.
>
> http://support.microsoft.com/Default.aspx?kbid=326444
> http://securityadmin.info/faq.asp?urlscan
>
> According to the first article above, it appears that AllowVerbs is the
> default.  So if Trace and Track are not in the AllowVerbs section, and I
> expect that they would probably not be,
>
> Trace and Track are largely theoretical vulnerabilities.  Unless there is
a
> known unpatched exploit against them, and I'm not sure there are any at
the
> moment, they usually only give a small amount of information, not remote
> compromise of the server.
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info
>
>

[ Post a follow-up to this message ]