[NT] Combining URLScan With FrontPage (HOWTO)

From: support@securiteam.com
Date: 10/05/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Combining URLScan With FrontPage (HOWTO)
Message-Id: <20011005163251.619F8138C4@mail.der-keiler.de>
Date: Fri,  5 Oct 2001 18:32:51 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Combining URLScan With FrontPage (HOWTO)
------------------------------------------------------------------------

SUMMARY

As most Microsoft administrators know, some time ago Microsoft has
released a tool called <http://www.securiteam.com/tools/5YP0E1F5FQ.html>
URLScan. The tool's main objective is to stop any future vulnerabilities
from getting exploited, by sanitizing user provider data. A problem arises
from this when an administrator requires FrontPage functionality on the
server, since the URLScan's default configuration does not allow it to
successfully execute.

DETAILS

The following is a tested configuration file, that even though allows
running of FrontPage extensions on the server, still limits the
vulnerability of the server to future attacks.

Note:
1) We are allowing the passing of `.exe` file extensions.
2) We have added to `[DenyUrlSequences]` the strings that help deflect the
Nimda worm.
3) We had set `AllowDotInPath=1` to enable the use of FrontPage 2000's
extension for web administration.
4) For FrontPage 2000 to work, you must have `RemoveServerHeader=0` and do
not set `AlternateServerName=`. If you do then FrontPage will not connect
to a FrontPage enabled site.
5) Just for the fun of it, we have also added the following file
extensions to `[DenyExtensions]`.
  .vbs
  .sys
  .dos
  .lnk

--- urlscan.ini ---
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs]
section
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use
[DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject request
if a change occurs
AllowHighBitCharacters=1 ; if 1, allow high bit (i.e. UTF8 or MBCS)
characters in URL
AllowDotInPath=1 ; if 1, allow dots that are not file extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID
(ie. UrlScan.123.log)
AllowLateScanning=1 ; if 1, then UrlScan will load as a low priority
filter.

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

[AllowVerbs]

;
; The verbs (a.k.a. HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST
OPTIONS
;OPTIONS ; FrontPage Server Extensions requires OPTIONS. If you need to
enable
 ; it, uncomment the OPTIONS verb and set "AllowLateScanning=1" in the
 ; [Options] section above. Additionally, after changing this file and
 ; restarting the web service, you should go to the "ISAPI Filters" tab
 ; for the server's properties in MMC and ensure that UrlScan is listed
 ; lower than fpexedll.dll.

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK

[DenyHeaders]

;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;

Translate:
If:
Lock-Token:

[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

asp
htm
html
txt
jpg
jpeg
gif
png

[DenyExtensions]

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are allowed to run with the below
; settings. If you wish to prevent ASP from running, add the
; following extensions to this list:
; .asp
; .cer
; .cdx
; .asa
;

; Executables that run on the server
; .exe ; Removed because it stops `fpcount.exe` from working.
bat
cmd
com

; Infrequently used scripts
; .htw ; Maps to webhits.dll, part of Index Server
; .ida ; Maps to idq.dll, part of Index Server
; .idq ; Maps to idq.dll, part of Index Server
htr ; Maps to ism.dll, a legacy administrative tool
idc ; Maps to httpodbc.dll, a legacy database access tool
shtm ; Maps to ssinc.dll, for Server Side Includes
shtml ; Maps to ssinc.dll, for Server Side Includes
stm ; Maps to ssinc.dll, for Server Side Includes
printer ; Maps to msw3prt.dll, for Internet Printing Services

; Various static files
ini ; Configuration files
log ; Log files
pol ; Policy files
dat ; Configuration files
vbs
sys
dos
lnk

[DenyUrlSequences]
; .. ; Don't allow directory traversals
/ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
cmd.exe
root.exe
explorer.exe
system32
winnt
ntldr

ADDITIONAL INFORMATION

The information has been provided by <mailto:myron@co-hop.co.uk> Myron
Szymanskyj.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages