Re: Downloading executables from IIS

From: Susan Hayden [MS] (shayden@online.microsoft.com)
Date: 07/25/02 

From: shayden@online.microsoft.com (Susan Hayden [MS])
Date: Thu, 25 Jul 2002 16:57:18 GMT

You need to edit the .ini file for URLScan to allow .exe

All configuration of URLScan is done through the URLScan.ini file, which is
located in the %WINDIR%\System32\Inetsrv\URLscan folder. To configure
URLScan,
simply open this file in a text editor such as Notepad, make the appropriate
changes, and save the file. You will need to restart IIS for your changes to
take effect.

The URLScan.ini file contains a couple of sections:

 - [Options]: General URLScan options
 - [AllowVerbs] and [DenyVerbs]: This section defines the verbs (also known
as
   HTTP methods) permitted by URLScan
 - [DenyHeaders]: If an HTTP request contains one of the HTTP headers
listed in
   this section, URLScan will reject the request
 - [AllowExtensions] and [DenyExtensions]: This section defines the file
   extensions permitted by URLScan
 - [DenyURLSequences]: URLScan will reject HTTP requests containing a string
   appearing in this section

UseAllowExtensions=0
   If this option is set to 1, URLScan will only permit requests for files
with
   extensions listed in the [AllowExtensions] section. It will block
requests
   for any other files. If this option is set to 0 (the default), URLScan
will
   block requests for file extensions listed in the [DenyExtensions]
section but
   will permit requests for any other file extensions.

If you are using allow extensions, you need to add.exe
if you are using deny extensions, you need to remove .exe
Susan Hayden
IIS Newsgroup Support

Please do not send email directly to this alias. This is our online account
name for newsgroup participation only.

If you would like to open a support incident with Microsoft, call
1-800-936-5800

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.

Please remember to subscribe to our security bulletins at
<http://www.microsoft.com/technet/security/notify.asp>

Relevant Pages

  • Re: Stopping IIS from serving certain file types
    ... URLScan is the way to go for blocking files with certian file extensions. ... can configure URLScan to reject requests for .exe files to prevent Web ... below to view the article in the Microsoft Knowledge Base: ...
    (microsoft.public.inetserver.iis.security)
  • Re: webexception 404
    ... has the IIS Lockdown tool been run on the server. ... In my case the UrlScan utility was preventing the request from being ... requests though, but when I figure it out I'll post it here. ... > client are passed from the webservice A to another Webservice, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Downloading executables from IIS
    ... >You need to edit the .ini file for URLScan to allow .exe ... requests for files ... > extensions listed in the section. ... > will permit requests for any other file extensions. ...
    (microsoft.public.inetserver.iis.security)
  • Re: UrlScan question
    ... >Hi Erik, ... >UrlScan log file to see if "good" requests have been ... >> installer will set it ... >>>> not allow requests like this one below. ...
    (microsoft.public.inetserver.iis.security)
  • Re: URLSCAN makes pages with integrated authentication very slow
    ... Because since I have done this with the server header remove, ... Performance of authenticated requests is the ... >> and without URLScan from your machine. ... > As you can see in the IIS log file, there are a few requests that are ...
    (microsoft.public.inetserver.iis.security)