URLScan for IIS
From: Lester, Don (dlester@CLINITECH.NET)Date: 11/03/01
- Previous message: Russ: "Re: Call to arms - INFORMATION ANARCHY"
- Next in thread: Michelle Erbeck: "ASP script to parse URLSCAN.log file and add to a database."
- Reply: Michelle Erbeck: "ASP script to parse URLSCAN.log file and add to a database."
- Reply: Attonbitus Deus: "Re: URLScan for IIS"
- Reply: James M. Truxon: "Re: URLScan for IIS"
- Reply: Simon Jones: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <6CC25018D3C8D411B2F500508B4456AE8E1FAD@wvc-exchange> Date: Fri, 2 Nov 2001 15:25:35 -0800 From: "Lester, Don" <dlester@CLINITECH.NET> Subject: URLScan for IIS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, first of all, if you haven't used this utility yet I think you owe it to
yourself to at least spend some time on a test box and see what it can do.
It is very easy to install, and the filtering it does could potentially save
you a huge headache in the future. The basic premise is that it examines
any packet bound for IIS against a set of rules defined by the
administrator, and either allows the packet to pass to IIS or discards and
logs it. Pretty slick considered McAfee has a similar package (arguably
more robust) for about $1000 per server, and this is free.
That being said, my initial installation did not go without a hitch.
Documentation for this utility is sketchy at best. The only means to
configure it is to edit its INI file, conveniently placed in the
system32\inetsrv\urlscan directory. This isn't too big of a deal since it
isn't difficult to configure. It is unfortunate that you have to stop and
restart IIS to make it reload any configuration changes, but again, that is
a small price to pay for a free utility that shouldn't have its
configuration changed very often anyway.
When installed, a default INI file is installed that I do not believe anyone
concerned with security should use. I am not an old time server guru like
many people on this list. My background is much more heavily rooted in
networks and firewalls. So, when I see a filter configuration that gives me
a choice between a deny list or an allow list, I will choose the allow list
every time without hesitation. The rationale being that a deny list only
excludes items I put in it, and passes everything else. I have been doing
this a while, but I know better than to assume I can think of everything
some potential attacker will throw at me. By choosing the allow option, I
say what I will allow, and everything else is denied. This is much more
secure because only traffic you are wanting and expecting is allowed to
pass, and anything you don't want (or don't even know about) is denied.
So, I examine my INI file, find the [options] area, and change it as
follows:
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use
[DenyVerbs] section
UseAllowExtensions=1 ; if 1, use [AllowExtensions] section, else
use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject
request if a change occurs
AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS)
characters in URL
AllowDotInPath=0 ; if 1, allow dots that are not file
extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain
a PID (ie. UrlScan.123.log)
AllowLateScanning=0 ; if 1, then UrlScan will load as a low
priority filter.
I began testing, and at first I was very happy with what I saw. I was
requesting all sorts of odd URLs, and IIS never saw them. Every time I
tripped a rule, the offense was dutifully recorded in the urlscan.log file.
Then I tried to just access the default web page, /, on my server (default
web page is http://www.servername.com/ without any trailing filename). It
was rejected. I looked in the log file, and this is what I saw:
[Thu, Nov 01 2001 - 08:31:53] Client at 172.24.20.100: URL contains
extension '(null)', which is not specifically allowed. Request will be
rejected. Raw URL='/'
This was not right. How on earth can a file have a null extension? I took
a moment to laugh at the expense of some poor programmer, then set forth
looking for a work-around. This package really has no documentation other
than the comments in the default INI file, and Microsoft's Knowledge Base
has almost nothing in it pertaining to this package. So, I was reduced to
trial and error. After several attempts, the fix for my [AllowExtensions]
section now looks like this:
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.asp
.htm
.html
.txt
.jpg
.jpeg
.gif
./
The last line, ./, is what made the null file extension messages go away,
and now allows my server to use the [AllowExtensions] properly.
Obviously a dot-slash is not a file extension, so this is some kind of bug.
However, given the nature of what this little utility does, and how you
really should not use deny lists, getting this work-around out to the masses
seemed like a good idea. If anyone finds issues with this work-around,
please post them.
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: Russ: "Re: Call to arms - INFORMATION ANARCHY"
- Next in thread: Michelle Erbeck: "ASP script to parse URLSCAN.log file and add to a database."
- Reply: Michelle Erbeck: "ASP script to parse URLSCAN.log file and add to a database."
- Reply: Attonbitus Deus: "Re: URLScan for IIS"
- Reply: James M. Truxon: "Re: URLScan for IIS"
- Reply: Simon Jones: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
