According to me, Microsoft is not as bent on security as the *NIX community is. Ofcourse, that is because, *NIX is mostly an open source community and as the popular flavour goes, it is used by geeks only. Just check the number of security tools that the community has and the ones that MS has. Hardly a few to count on the fingers eh? URLScan is one of those utilities.
URLScan is an essentially a ISAPI filter that allows administrators to restrict the kind of HTTP requests that the server will process. You can get the desired results for blocking specific HTTP requests by adding several filters. The URLScan filter prevents potentially harmful requests from reaching the server and causing damage. All it needs is for the IIS to be recycled. It restricts the types of HTTP requests that Internet Information Services (IIS) will process.
Some features (as listed on the MS site are) as follows:
- Deny rules can now be independently applied to query string, all headers, a particular header, URL or a combination of these.
- A global DenyQueryString section in configuration lest you add deny rules for query strings with the option of checking the un-escaped version of the query string as well.
- A global AlwaysAllowedUrls section in configuration lets you specify safe URLs that will bypass all URL based checks. This feature has been added post URLScan v3.0 Beta.
- A global AlwaysAllowedQueryStrings section in configuration lets you specify safe query strings that will bypass all query string checks. This feature has been added post URLScan v3.0 Beta.
- Using escape sequences (like %0A%0D) can now be used in deny rules so it is possible to deny CRLF and other sequences involving non-printable characters.
- Multiple URLScan instances can now be installed as site filters, each with its own configuration and rules (Urlscan.ini).
- Configuration (Urlscan.ini) change notifications will be propagated to IIS worker processes so you won’t have to recycle your worker processes after making a configuration change. Logging settings are the only exception to this.
- Enhanced W3C formatted logging that will give descriptive configuration errors in the Remarks header. This feature has been added post URLScan v3.0 Beta, which did not have W3C formatted logs.
Using this tool is very easy. All you need to have access is to the URLScan.ini file. By default, URLScan blocks the DEBUG verb which breaks application debugging. You can enable it by adding the DEBUG verb to the [AllowVerbs] section in URLScan.ini. You can also prevent the banner information from being displayed in a banner grabber or a telnet by enabling a single verb to the .ini file. To do that, locate the RemoveServerHeader attribute in URLScan.ini, and set its value to 1. You can also use URLScan as another line of defense against denial of service attacks even before requests reach ASP.NET. You do this by setting limits on the MaxAllowedContentLength, MaxUrl and MaxQueryString attributes.
A more detailed write up can be found here. If you are interested in giving it a go for download, find it here.
Searches leading to this post:stop mailicous url requests, URLScan ??????????????, urlscan stop xss
Comments on this entry are closed.