Re: What is the URLScan Rejection Response?
From: Wade A. Hilmo [MS] (wadeh@microsoft.com)
Date: 10/25/02
- Next message: Marc Bourgeois: "Can I use any ASP/COM+ with IISADMIN?"
- Previous message: Tom Pepper Willett: "Re: Can't open attachments in Outlook Express 6.0"
- In reply to: Ken Schaefer: "Re: What is the URLScan Rejection Response?"
- Next in thread: M. Burnett: "Re: What is the URLScan Rejection Response?"
- Reply: M. Burnett: "Re: What is the URLScan Rejection Response?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Wade A. Hilmo [MS]" <wadeh@microsoft.com> Date: Fri, 25 Oct 2002 08:07:22 -0700
Hi Ken and Clinton,
You can customize the response that UrlScan sends when it rejects a request.
You need to set "UseFastPathReject=0", and then set the URL for the reject
page like, for example, "RejectResponseUrl=/MyRejectPath.htm". You can even
set RejectResponseUrl to an ASP page or ISAPI extension, and then have that
page contain your own custom code to run when UrlScan rejects a request.
When UrlScan redirects the request to the reject page, it adds several
custom headers that your code could use to determine why the request is
being rejected. The headers should be documented along with
RejectResponseUrl in the UrlScan.doc file.
As for being concienscious, UrlScan returns a 404 specifically so that it
does not reveal any information about your server to a potential hacker. A
404 is what happens if there is no page associated with the URL. Another
response would, at the very least, tell the hacker that something is there.
If you were to return detailed information about why the request was
rejected, you'd be helping out a hacker by giving them details of your
configuration. Remember that if UrlScan is rejecting a request, it's
because you've effectively told it that you don't want them served. There's
not much reason to tell users how to get it to work. The UrlScan log file
can be used by the administrator of the server to get very detailed
information as to why the request was rejected.
One unfortunate truth is that giving out more information in order to help
legitimate users also provides help to others that you may not want there.
Thank you,
-Wade Hilmo,
-Microsoft
"Ken Schaefer" <kenRMV@THISadOpenStatic.com> wrote in message
news:#y9O3e8eCHA.2592@tkmsftngp09...
> a) Yes
>
> b) Depends...if most of the URLScan rejections are being caused by attacks
> from other infected webservers, why waste bandwidth sending back a nice
404
> page that no one's ever going to see? On the other hand, you might be
> running OWA (or something), in which case it might be nice to tell your
> users that the reason they can't open a particular mail message is because
> the subject line contains certain non-allowed character combinations...
>
> Cheers
> Ken
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "clintonG" <csgallagher@REMOVETHISTEXTwi.rr.com> wrote in message
> news:OmpGQH7eCHA.392@tkmsftngp09...
> > Would a 404 be returned?
> >
> > How would a concienscious web master display a custom
> > response?
> >
> >
> > --
> > <%= Clinton Gallagher
> > A/E/C Consulting, Web Design, e-Commerce Software Development
> > Wauwatosa, Milwaukee County, Wisconsin USA
> > NET csgallagher@REMOVETHISTEXTmetromilwaukee.com
> > URL http://www.metromilwaukee.com/clintongallagher/
> >
> > LaGarde StoreFront 5 Affiliate: e-Commerce Software Development
> > SEE: http://www.storefront.net/default.asp?REFERER=-201499070
> >
> >
> >
> >
>
>
- Next message: Marc Bourgeois: "Can I use any ASP/COM+ with IISADMIN?"
- Previous message: Tom Pepper Willett: "Re: Can't open attachments in Outlook Express 6.0"
- In reply to: Ken Schaefer: "Re: What is the URLScan Rejection Response?"
- Next in thread: M. Burnett: "Re: What is the URLScan Rejection Response?"
- Reply: M. Burnett: "Re: What is the URLScan Rejection Response?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
