Re: Downloading executables from IIS

From: Tihomir Vlahovski (support@r-system.com)
Date: 07/29/02 

From: "Tihomir Vlahovski" <support@r-system.com>
Date: Mon, 29 Jul 2002 00:28:07 -0700

10x Susan

>-----Original Message-----
>You need to edit the .ini file for URLScan to allow .exe
>
>
>All configuration of URLScan is done through the
URLScan.ini file, which is
>located in the %WINDIR%\System32\Inetsrv\URLscan folder.
To configure
>URLScan,
>simply open this file in a text editor such as Notepad,
make the appropriate
>changes, and save the file. You will need to restart IIS
for your changes to
>take effect.
>
>The URLScan.ini file contains a couple of sections:
>
> - [Options]: General URLScan options
> - [AllowVerbs] and [DenyVerbs]: This section defines the
verbs (also known
>as
> HTTP methods) permitted by URLScan
> - [DenyHeaders]: If an HTTP request contains one of the
HTTP headers
>listed in
> this section, URLScan will reject the request
> - [AllowExtensions] and [DenyExtensions]: This section
defines the file
> extensions permitted by URLScan
> - [DenyURLSequences]: URLScan will reject HTTP requests
containing a string
> appearing in this section
>
>UseAllowExtensions=0
> If this option is set to 1, URLScan will only permit
requests for files
>with
> extensions listed in the [AllowExtensions] section. It
will block
>requests
> for any other files. If this option is set to 0 (the
default), URLScan
>will
> block requests for file extensions listed in the
[DenyExtensions]
>section but
> will permit requests for any other file extensions.
>
>If you are using allow extensions, you need to add.exe
>if you are using deny extensions, you need to remove .exe
>Susan Hayden
>IIS Newsgroup Support
>
>Please do not send email directly to this alias. This is
our online account
>name for newsgroup participation only.
>
>If you would like to open a support incident with
Microsoft, call
>1-800-936-5800
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. © 2001 Microsoft
Corporation. All rights
>reserved.
>
>Please remember to subscribe to our security bulletins at
><http://www.microsoft.com/technet/security/notify.asp>
>
>.
>

Relevant Pages

  • Re: URLSCAN on IIS6 config
    ... URLScan isn't rejecting it based on ".", it's rejecting the URL because you ... on IIS6 because it is not as good as the built-in support of IIS6. ... Web Service Extensions allow you control of which binaries can ...
    (microsoft.public.inetserver.iis)
  • Re: Stopping IIS from serving certain file types
    ... URLScan is the way to go for blocking files with certian file extensions. ... can configure URLScan to reject requests for .exe files to prevent Web ... below to view the article in the Microsoft Knowledge Base: ...
    (microsoft.public.inetserver.iis.security)
  • RE: URLScan
    ... that he is experiencing the download bug within urlscan that makes certain ... not related to blocked extensions. ... | knowledge of web servers and I'm not sure how I can edit the urlscan ...
    (Security-Basics)
  • URLSCAN on IIS6 config
    ... in the allow extensions settings ... >I am having some problems getting URLScan 2.5 running ... >Request will be rejected. ... Extensions listed here are commonly used on a typical ...
    (microsoft.public.inetserver.iis)
  • Re: Downloading executables from IIS
    ... All configuration of URLScan is done through the URLScan.ini file, ... If this option is set to 1, URLScan will only permit requests for files ... extensions listed in the section. ...
    (microsoft.public.inetserver.iis.security)