Web Deploy urlScanConfig Provider

  • Article

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP

urlScanConfig

The urlScanConfig provider imports URLScan configuration settings into IIS 7 request filtering configuration.

Example

msdeploy –verb:sync –source:urlScanConfig=ini –dest:urlScanConfig=apphost

The urlScanConfig provider imports the settings of the Urlscan.ini file to the <system.webServer/security/requestFiltering> section of the IIS 7 ApplicationHost.config file. Except for <hiddenSegments>, existing data in the <requestFiltering> section will be overwritten when URLScan settings are imported.

The provider takes an argument of either ini or apphost. If you specify ini, URLScan configuration is read from the path %windir%\system32\inetsrv\urlscan\urlscan.ini. On 64–bit systems that have the Enable32BitAppOnWin64 application pool property enabled, the Urlscan.ini file is read from the %windir%\system32\inetsrv directory (not from %windir%\syswow64\inetsrv). If you specify the apphost argument, URLScan configuration is read from the <requestFiltering> section of the ApplicationHost.config file.

dump

In a dump operation, when you specify apphost, the urlScanConfig provider returns the paths to the elements of the URLScan configuration in the <system.webServer/security/requestFiltering> section of the Applicationhost.config file. If you specify the ini argument, the provider returns the configuration settings from the Urlscan.ini file. If you specify the -xml operation setting, the results are returned in XML format and include attribute information.

sync

You can use the urlScanConfig provider to import global Urlscan.ini configuration into the server-level <requestFiltering> section in IIS 7. Site-level URLScan configuration migration is not supported.

In a sync operation, the contents of the Urlscan.ini file can be exported to the <requestFiltering> section of ApplicationHost.config or to a package (.zip) file. The contents of the destination <requestFiltering> section will be overwritten, except for the configuration under <hiddenSegments>, which is protected by the URLScan Skip Incompatibility (UrlScanSkipIncompat) Rule. For more information about the UrlScanSkipIncompat rule, see Web Deploy Rules. Synchronization from ini source to an apphost destination is supported, but synchronization from an apphost source to an ini destination is not. URLScan version 2.0 can be synchronized to either IIS 7.0 or IIS 7.5. URLScan version 3.0 and 3.1 can be synchronized to IIS 7.5, or to IIS 7.0 if Windows Server® 2008 Service Pack 2 has been applied.

The following sections describe in detail how the various elements of the Urlscan.ini file are synchronized to IIS configuration.

Attribute and entry mappings

The following table lists Urlscan.ini settings and the elements and attributes to which they are mapped in the requestFiltering section of the ApplicationHost.config file. If a required setting does not exist in the Urlscan.ini file, the default is assumed.

Urlscan.ini <requestFiltering>

AllowDotInPath

(not mapped)

AllowHighBitCharacters

Maps to system.webServer/security/requestFiltering@ allowHighBitCharacters.

AllowLateScanning

(not mapped)

AlternateServerName

(not mapped)

EnableLogging

(not mapped)

LoggingDirectory

(not mapped)

LogLongUrls

(not mapped)

NormalizeUrlBeforeScan

(not mapped)

PerDayLogging

(not mapped)

PerProcessLogging

(not mapped)

RejectResponseUrl

(not mapped)

RemoveServerHeader

(not mapped)

UnescapeQueryString

(not mapped)

UseAllowExtensions

If UseAllowExtensions is 1, the <fileExtensions> allowUnlisted attribute is set to false and the allowed entries are added. If UseAllowVerbs is 0, the <fileExtensions> allowUnlisted attribute is set to true and the entries from the [DenyExtensions] section in Urlscan.ini are added.

UseAllowVerbs

If UseAllowVerbs is 1, the <verbs> allowUnlisted attribute is set to false and the allowed entries are added. If UseAllowVerbs is 0, the <verbs> allowUnlisted attribute is set to true and the entries from the [DenyVerbs] section in Urlscan.ini are added.

UseFastPathReject

(not mapped)

VerifyNormalization

Maps to system.webServer/security/requestFiltering@allowDoubleEscaping.

Urlscan Sections

The following table lists how the sections of the Urlscan.ini file are mapped to the <requestFiltering> section. Where appropriate, the mapping of individual items is included.

Urlscan.ini <requestFiltering>

[AllowExtensions] and [DenyExtensions]

Maps to <system.webServer/security/requestFiltering/fileExtensions>. For details, see the previous table.

[AllowVerbs] and [DenyVerbs]

Maps to <system.webServer/security/requestFiltering/verbs>. For details, see the previous table.

[AlwaysAllowedQueryStrings]

Maps to <system.webServer/security/requestFiltering/alwaysAllowedQueryStrings>.

[AlwaysAllowedUrls]

Maps to <system.webServer/security/requestFiltering/alwaysAllowedUrls>.

[DenyHeaders]

Maps to <system.webServer/security/requestFiltering/requestLimits/headerLimits>. The colon is removed from names.

[DenyQueryStringSequences]

Maps to <system.webServer/security/requestFiltering/denyQueryStringSequences>.

[DenyUrlSequences]

Maps to <system.webServer/security/requestFiltering/denyUrlSequences>.

[RequestLimits]

 

   MaxAllowedContentLength

   MaxQueryString

   MaxUrl

Maps to <system.webServer/security/requestFiltering/requestLimits>.

 

   <requestLimits> maxAllowedContentLength attribute

   <requestLimits> maxQueryString attribute

   <requestLimits> maxUrl attribute

[Rules]

 

   AppliesTo

   DenyDataSection

   ScanAllRaw

   ScanHeaders

   ScanQueryString

   ScanURL

Each rule maps to a <filteringRule> element under <requestFiltering/filteringRules>.

 

   <filteringRule/appliesTo> element

   <filteringRule/denyStrings> element

   <filteringRule> scanAllRaw attribute

   <filteringRule/scanHeaders> element

   <filteringRule> scanQueryString attribute

   <filteringRule> scanUrl attribute

   

For information about how to configure request filtering in IIS 7, see How to Use Request Filtering and Request Filtering <requestFiltering>. For more information about URLScan with IIS 7, see Using URLScan.

Example Usages

1) Display the contents of the Urlscan.ini file.

   msdeploy –verb:dump –source:urlScanConfig=ini -xml

2) Display the contents of the <requestFiltering> section of the ApplicationHost.config file in XML format.

   msdeploy –verb:dump –source:urlScanConfig=apphost –xml

3) Synchronize the contents of the Urlscan.ini file to a package file.

   msdeploy –verb:sync –source:urlScanConfig=ini –dest:package=urlscanSettings.zip

4) Synchronize the contents of the Urlscan.ini file to the <requestFiltering> section of the ApplicationHost.config file.

   msdeploy –verb:sync –source:urlScanConfig=ini –dest:urlScanConfig=apphost

See Also

Concepts

Web Deploy Providers