Re: Updated URLScan Security Tool Released

• Previous message: Jesper Sobol: "RE: Netreg for Windows"
• In reply to: Eric Johansen: "Updated URLScan Security Tool Released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <eric.johansen@us.ing.com>, <focus-ms@securityfocus.com>
Date: Thu, 22 May 2003 11:02:40 -0600

You should note that URLScan 2.5 (which has a file version of
6.0.3615.0) is over a year old, it is just the installer that is new.

I did notice, however, that the installer included only one version
of the dll, not the Baseline and SRP versions that were previously
available. I was curious to see which version was included in this
new installer so I downloaded the Baseline and SRP versions to
compare MD5 checksums. It turns out they are all the same file. There
are still two separate download pages which make it appear as though
you are downloading either "Baseline Urlscan" or "Urlscan-SRP",
although the download link is the same for both versions (but not the
same as this new installer).

Fortunately, I know Microsoft has a habit of doing stuff like this so
I keep old file versions. I dug up the old versions and it appears
that the new installer contains the SRP version. Apparently there is
no longer a Baseline URLScan. I would suggest to Microsoft that they
update the download page for the "Baseline Urlscan"
(http://www.microsoft.com/downloads/details.aspx?FamilyID=12244f33-a5d
a-4203-a3a8-83f4388bb71f&DisplayLang=en) to indicate that they are
not actually downloading the Baseline Urlscan.

And while on the subject of installing URLScan, here's the batch file
I use to do the job (requires urlscan.ini and urlscan.dll in current
dir, adsutil.vbs in current dir or path):

@iisreset /stop timeout:0
@md %SystemRoot%\System32\inetsrv\urlscan
@copy /y urlscan.ini %SystemRoot%\System32\inetsrv\urlscan
@copy /y urlscan.dll %SystemRoot%\System32\inetsrv\urlscan
@cscript adsutil.vbs create W3SVC/Filters/URLScan IIsFilter
@cscript adsutil.vbs set W3SVC/Filters/URLScan/FilterPath
%SystemRoot%\System32\inetsrv\urlscan\urlscan.dll
@cscript adsutil.vbs set W3SVC/Filters/URLScan/FilterDescription
"UrlScan ISAPI Filter"
@cscript adsutil.vbs set W3SVC/Filters/URLScan/FilterFlags 540672
@FOR /F "tokens=4" %%a IN ('adsutil.vbs get
W3SVC/Filters/FilterLoadOrder') DO @set FilterOrder=%%a"
@set FilterOrder=%FilterOrder:URLScan,=%
@IF NOT %FilterOrder%=="" cscript adsutil.vbs set
W3SVC/Filters/FilterLoadOrder "URLScan,%FilterOrder:~1%
@iisreset /start

(all lines begin with @ so you can correct the wrapping)

Mark Burnett
http://www.iissecurity.info

On Wed, 21 May 2003 10:59:50 -0500, Eric Johansen wrote:
>URLScan Security Tool version 2.5
>http://www.microsoft.com/technet/security/tools/tools/URLscan.asp
>
>So far I've had little success using the executable provided by
>Microsoft to "automagically" update my existing URLScan 2.0-running
>web servers. So I've resorted to extracting the contents of the
>Setup.EXE (use Setup.EXE /C /T:D:\URLScan_25 for example) and then
>extracting urlscan.exe (contained in Setup.EXE) using urlscan.exe
>/X. This extracts all contents to the directory where urlscan.exe
>is located, so be careful you aren't doing this in your current,
>live URLScan 2.0 directory unless you want your urlscan.ini to be
>overwritten with the newfangled one - better to manually edit your
>ini.
>
>Installing manually is easy...drop the new DLL in the old DLLs place
>(after stopping IIS of course), edit your ini with the new features
>you want, and then restart IIS. You don't have to take advantage of
>any of the new features, and I've found that it works great if just
>plunked into place...and you get that warm, fuzzy feeling that you
>have the latest and greatest version in place. :)
>
>Here are the "new" features from version 2.0 (indicated with ***),
>which if you are manually editing your urlscan.ini's you should use:
>(compiled from the above URL as well as the urlscan.ini config file)
> ***Changing the Log File Directory -LoggingDirectory
>
>Use:
>
>LoggingDirectory=D:\LogFiles\URLScan --- ***Logging Long URLs
>-LogLongUrls
>
>Use:
>
>(under OPTIONS) LogLongUrls=0
>
>If 1, then up to 128K per request can be logged. If 0, then only 1k
>is allowed. --- ***Restricting the Size of Requests -RequestLimits
>-MaxAllowedContentLength -MaxUrl -MaxQueryString
>
>Use:
>
>[RequestLimits]
>
>; ; The entries in this section impose limits on the length ; of
>allowed parts of requests reaching the server. ; ; It is possible to
>impose a limit on the length of the ; value of a specific request
>header by prepending "Max-" to the ; name of the header. For
>example, the following entry would ; impose a limit of 100 bytes to
>the value of the ; 'Content-Type' header: ; ; Max-Content-Type=100
>; ; To list a header and not specify a maximum value, use 0 ; (ie.
>'Max-User-Agent=0'). Also, any headers not listed ; in this section
>will not be checked for length limits. ; ; There are 3 special case
>limits: ; ; - MaxAllowedContentLength specifies the maximum
>allowed ; numeric value of the Content-Length request header.
>For ; example, setting this to 1000 would cause any request ;
>with a content length that exceeds 1000 to be rejected. ; The
>default is 30000000. ; ; - MaxUrl specifies the maximum length of
>the request URL, ; not including the query string. The default
>is 260 (which ; is equivalent to MAX_PATH). ; ; password
security
>- MaxQueryString specifies the maximum length of the query ;
>string. The default is 2048. ;
> security consultant
>MaxAllowedContentLength=30000000 MaxUrl=260 MaxQueryString=2048
>
>-Eric
>
>
>
>
>
>---------------------------------------------------------------------
>-------- *** Wireless LAN Policies for Security & Management - NEW
>White Paper *** Just like wired networks, wireless LANs require
>network security policies that are enforced to protect WLANs from
>known vulnerabilities and threats. Learn to design, implement and
>enforce WLAN security policies to lockdown enterprise WLANs.
>strong password security tool iis
>To get your FREE white paper visit us at:
>http://www.securityfocus.com/AirDefense-focus-ms
>---------------------------------------------------------------------
s
>---------

-----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-focus-ms
------------------------------------------------------------------------------

• Previous message: Jesper Sobol: "RE: Netreg for Windows"
• In reply to: Eric Johansen: "Updated URLScan Security Tool Released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]