Skip to main content

UrlScan Security Tool Frequently Asked Questions

What is UrlScan?

UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed. UrlScan helps protect Web servers because most malicious attacks share a common ? characteristic they involve the use of a request that is unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage.

Will UrlScan 2.5 work with IIS 6.0?

Yes. UrlScan 2.5 is the only version of UrlScan that Microsoft supports for use with IIS 6.0.

I'm already using UrlScan 2.0. Why should I download this update?

UrlScan 2.5 includes new features that have been added to help improve the security of servers running IIS. These new features are as follows:

  • Changing the log file directory
  • Logging long URLs
  • Restricting the size of requests
I've already configured UrlScan for my site. Will UrlScan 2.5 overwrite my current configuration settings?

No. The installer adds only new entries to your existing configuration file. UrlScan supports all of the configuration settings from earlier versions of UrlScan.

If UrlScan 2.5 helps protect my server against certain vulnerabilities, is it still necessary to apply security updates?

Yes. To help protect your server from any new or existing security vulnerabilities, Microsoft strongly recommends that you evaluate and apply the latest security updates as soon as they are available.

I'm not sure if I'm using chunked-transfer encoding in any of my custom applications. What is it?

Chunked-transfer encoding is an HTTP/1.1 feature that transmits the message body in a request or response as chunks that are stamped with their size. HTTP 1.1 allows clients to send POST requests by using chunked-transfer encoding. In most cases, IIS will automatically decode these requests before they are processed. If the size of the request exceeds a particular threshold (by default, 48 KB), then the ISAPI or CGI code to which the request is directed needs to be aware of chunked-transfer encoding to process the request correctly. If you have code running on a server that is receiving POST requests and you are not sure whether it supports chunked-transfer encoding, then consider using UrlScan to prohibit requests that include a "Transfer-Encoding" header. For more information about chunked-transfer encoding, see section 3.6.1 of RFC 2616, "Hypertext Transfer Protocol ? HTTP/1.1."

How do I install the UrlScan tool?

UrlScan 2.5 installs as a clean install on a computer running IIS 4.0 or later. Upgrade scenarios are also supported.

To Install UrlScan 2.5

  1. Download the Setup.exe file for UrlScan 2.5.
  2. Double-click the Setup.exe icon.
  3. Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.
  4. When the installer completes, the following message is displayed: "UrlScan has been successfully installed." Click OK to close the installer.

To Uninstall UrlScan

  1. In Control Panel, double-click Add or Remove Programs.
  2. Select UrlScan 2.5 and then click the Change/Remove button.
  3. When UrlScan 2.5 has been removed from your server, the following message is displayed: "UrlScan has been successfully uninstalled." Click OK to complete the uninstall process.

Understanding the UrlScan 2.5 Installer

When installing UrlScan 2.5, the UrlScan 2.5 installer does the following:

  • Installs the UrlScan.dll and UrlScan.ini files in the %windir%\system32\inetsrv\urlscan directory. If UrlScan is already installed on the computer, the UrlScan.ini file is updated with any new settings that are not present in the current configuration file.
  • Adds UrlScan as a global filter to IIS.

When installing UrlScan on a server running IIS 6.0, the UrlScan 2.5 installer makes some additional changes that enable UrlScan 2.5 to work with the new IIS 6.0 process model. These changes are as follows:

  • PerProcessLogging is set to 1 in the UrlScan.ini file. This ensures that two UrlScan processes do not write to the log file at the same time.
  • UrlScan is marked as cache-aware in the metabase. This ensures that two or more worker processes that are running UrlScan do not write to the log file at the same time.
  • A new log directory, which is a subdirectory located under the ..\inetsrv\urlscan directory, is created. This ensures that the UrlScan directory does not get cluttered with all of the log files that the PerProcessLogging option will create.

When installing UrlScan 2.5 on IIS, the installer sets permissions for UrlScan.dll, UrlScan.ini, and the log file. When installing UrlScan 2.5 on IIS 6.0, the installer sets additional permissions on the same files to allow UrlScan 2.5 to work with IIS 6.0 worker process isolation mode. Table 2 lists the IIS permissions that are set when UrlScan 2.5 is installed.

Table 2: UrlScan 2.5 IIS 6.0 Permissions

File/DirectoryPermissions
..\inetsrv\urlscan\urlscan.dllRead and Execute (set on IIS 6.0 only): LocalService, IIS_WPG, and NetworkService
Full: Administrators, and LocalSystem
..\inetsrv\urlscan\urlscan.iniRead (set on IIS 6.0 only): IIS_WPG, LocalService, and NetworkService
Full: Administrators, and LocalSystem
..\inetsrv\urlscan\logsRead and Write (set on IIS 6.0 only): IIS_WPG, LocalService, and NetworkService
Full: Administrators, and LocalSystem

If a version of UrlScan is detected on the computer, the installation will be considered an upgrade. In the upgrade scenario, the changes that the installer makes will be the same as for a clean installation unless you have configured a custom log directory. If you have defined a different location for the UrlScan logs, then the new logs directory will not be created.