Re: URLScan for IIS

From: Attonbitus Deus (Thor@HAMMEROFGOD.COM)
Date: 11/03/01


Message-ID:  <02e601c163f7$e1528c80$af05a8c0@anchorsign.com>
Date:         Fri, 2 Nov 2001 15:41:17 -0800
From: Attonbitus Deus <Thor@HAMMEROFGOD.COM>
Subject:      Re: URLScan for IIS
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


> Ok, first of all, if you haven't used this utility yet I think you owe it
to
> yourself to at least spend some time on a test box and see what it can do.
> It is very easy to install, and the filtering it does could potentially
save
> you a huge headache in the future

I really like it... I just posted this to another list, and seeing this post
here, though the following applicable:

Greetings:

We like to log server activity such as the IIS and ISA logs to a SQL server
for fast and efficient reporting of the log data. While MS's URLScan is a
great little filter program for IIS, its logging options are minimal. It
basically creates a single file to hold all log records for filtered URLs.
In our shop, it can get pretty big pretty quick, and it is rather difficult
to review.

I've created a DTS package that runs nightly on our logging SQL server that
ftp's in the urlscan.log from the servers we want (this way you can leave
IIS running), parses the data into a temp table, and posts only the
preceding day's activity to the warehouse table (run it after midnight). It
really speeds up the review process, and allows you to group by server, date
range, or ip address for incident response.

It has helped us manage the URLScan logs, so I've stuck it on the
http://www.hammerofgod.com site under downloads for anyone interested in
taking a look at it. You've got to make a couple of changes to the DTS
package to work with your servers, so read the readme.

Later.
---------------------------------
Attonbitus Deus
rm -rf /bin/laden



Relevant Pages

  • Re: URLscan problem
    ... I did indeed restart the IIS server after ... I took a look at the URLscan log files and found my ... >URLscan seems to be causing a problem with public folder ...
    (microsoft.public.inetserver.iis.security)
  • RE: W3SVC, SMTP, IISAdmin services stopping..hacking?
    ... That SEARCH request is indicative of an attempt to exploit the ... of URLScan blocks SEARCH requests such as this one. ... Internet Services Manager -> right click on your server name -> Properties ... does contain a number of other very important security fixes for IIS. ...
    (microsoft.public.inetserver.iis.security)
  • Re: VS .NET & SDK vs. IIS LockDown & URLScan
    ... The Web Server Has Been Locked Down and Is Blocking the DEBUG Verb ... Stepping into a Web application or XML Web service failed because the IIS ... URLScan is a security tool that works in conjunction with the IIS Lockdown ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISAPI Filter:How to hide/modify the response header
    ... Here's the section from that URL which deals just with IIS HTTP information: ... The free IISlockdown tool from www.microsoft.com/download includes URLScan, ... which can be used to change or remove the banner from your web server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: How do you hide the HTTP Server header?
    ... David Dietz -- IIS Technical Lead ... 2001 Microsoft Corporation. ... |>Subject: Re: How do you hide the HTTP Server header? ... |>IISlockdown includes URLscan which is I think an excellent security tool, ...
    (microsoft.public.inetserver.iis.security)