URLSCan and IIS Lockdown Wizard


Topic Last Modified: 2006-09-14

You must secure IIS before you expose servers to the Internet by turning off all features and services except those that are required. In Windows 2003 Server, many IIS features are already disabled unless required by the server. On Microsoft Windows 2000 Server, download and run the IIS Lockdown Wizard.

For information about how to install and use IIS Lockdown Wizard, see Microsoft Knowledge Base article 325864, "HOW TO: Install and Use the IIS Lockdown Wizard."

The IIS Lockdown Tool (version 2.1) is available at http://go.microsoft.com/fwlink/?linkid=12281.

To maximize the security of your Exchange servers, apply all the required updates before and after applying IIS Lockdown Wizard. The updates ensure that servers remain protected against known security vulnerabilities.

The IIS Lockdown Wizard helps you disable unnecessary IIS 5.0 features and services based on the type of server software you are running. To provide multiple layers of protection against attackers, the IIS Lockdown Wizard also contains URLScan, which analyzes HTTP requests as IIS receives them and rejects any suspicious requests.

IIS Lockdown Wizard also contains a configuration template for Exchange that turns off unwanted features and services. To use this configuration template, run IIS Lockdown Wizard, select the Exchange template, and then change or accept the default configuration options.

Download URLScan separately if you want to run it on Windows Server 2003. A list of URLScan features and functionality beyond those provided by IIS 6.0 is available at http://go.microsoft.com/fwlink/?linkid=24490.

The URLScan application is installed in the folder <drive:>/<Windows directory>/system32/inetsrv/urlscan.

URLScan must be correctly configured for use with Exchange Server. For full details about how to configure URLScan for use with Exchange Server, see the following Microsoft Knowledge Base articles:

The section contains further information about why certain URLScan settings are required. Unless you configure the following settings in the Urlscan.ini file, after you run the wizard, you could experience problems with Outlook Web Access functionality:

  • Allow Dot In Path   Ensure that this setting is set to "1" so that Outlook Web Access attachments can be accessed and that earlier-version browsers can use Outlook Web Access.

  • File Extensions   By default, .htr files are disabled. If this file type is disabled, the Outlook Web Access Change Password feature does not function.

  • Deny Url Sequences   In the [DenyUrlSequences] section, sequences that are explicitly blocked can potentially affect access to Outlook Web Access. Any mail item subject or mail folder name that contains any of the following character sequences is denied access:

    • Period (.)

    • Double period (..)

    • Period and forward slash (./)

    • Backslash (\)

    • Percent sign (%)

    • Ampersand (&)

If you have additional problems when you attempt Outlook Web Access requests with URLScan enabled, check the UrlScan.log file for the list of requests that are being rejected.


Community Additions