Re: UrlScan question

From: David Wang [MS] (someone@online.microsoft.com)
Date: 11/28/02

Next message: David Wang [MS]: "Re: How to List IIS Authentication Settings"
Previous message: Tom Pepper Willett: "Re: blocked email"
In reply to: Erik: "Re: UrlScan question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "David Wang [MS]" <someone@online.microsoft.com>
Date: Wed, 27 Nov 2002 15:46:34 -0800

URLScan 2.5 is offered with two configurations, a more "relaxed" version and
a more "paranoid" version.

There is frequently a compromise between security and functionality.

--
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Erik" <Erik@nospam.com> wrote in message
news:1b0a301c29652$92601410$89f82ecf@TK2MSFTNGXA01...
Wade,
Hey, thanks for the good help.  You fully answered my
question.  I have customized it to my liking now.  I did
scale down the numbers quite a bit, and still allow it to
work for us.  I am surprised that they are so high, "out
of the box", but maybe I am missing something.
Much thanks.
Erik
>-----Original Message-----
>Hi Erik,
>
>You are allowing a maximum URL length of 16k (16384
bytes).  This is why the
>request is getting served.
>
>Unless you have something installed that's requires long
URLs, you can set
>this value much lower.  I actually have mine set to 260
(which is the
>maximum allowed length of a file path in most cases).
Note that this
>setting refers only to the URL, not the query string, and
not the server
>name.  So in the below URL, it applies only
to "/somefile.asp":
>
>   http://server/someurl.asp?some-query-string
>
>Some clients (I believe IE, included) set a maximum of
2048 bytes for the
>URL, including query string (at least they used to - it's
been a while since
>I worked closely with the client).
>
>Try setting your lower and see how things work.  You can
always check the
>UrlScan log file to see if "good" requests have been
rejected, and adjust it
>accordingly.  Generally, you really only need to handle
very long URLs if
>you have some software installed where the URLs don't
correspond to paths
>(for example, Exchange puts mail subjects into the URL,
so it can see some
>legitimate long URLs).
>
>Thank you,
>-Wade Hilmo,
>-Microsoft
>
>"Erik" <Erik@nospam.com> wrote in message
>news:1ac0d01c29649$2901fb90$8af82ecf@TK2MSFTNGXA03...
>> Wade,
>>
>> Thanks for the info.  It's interesting, because I have
>> version 2.5 installed with the default settings, and it
>> did not kill the GET cmd. listed below.  I figured that
it
>> would, maybe it's not long enough.
>>
>> Anyhow, I thought I would post my [RequestLimits]
section
>> below just to make sure that this is what you recommend.
>>
>> Thanks
>>
>> Erik
>>
>> MaxAllowedContentLength=2000000000
>> MaxUrl=16384
>> MaxQueryString=4096
>> >-----Original Message-----
>> >Hi Erik,
>> >
>> >Make sure that you are using the latest UrlScan.dll
>> (which is included with
>> >the Lockdown Tool version 2.5 update), and then add the
>> following line to
>> >the [RequestLimits] section of the UrlScan.ini file
>> (where x is the largest
>> >URL - not including the query string - that you want to
>> allow).  The
>> >built-in default for this value is 260 (which is
>> MAX_PATH), but this is
>> >pretty restrictive.  I believe that the Lockdown Tool
>> installer will set it
>> >to 4096:
>> >
>> >MaxUrl=x
>> >
>> >I hope this helps,
>> >-Wade Hilmo,
>> >-Microsoft
>> >
>> >"Erik" <Erik@nospam.com> wrote in message
>> >news:1a8ed01c2963c$f7743ef0$8df82ecf@TK2MSFTNGXA02...
>> >> I would like to know how to change the Urlscan.ini
file
>> to
>> >> not allow requests like this one below.  Currently,
I am
>> >> pretty much using the default settings and these
>> requests
>> >> can come through.
>> >>
>> >> Thanks for any help.
>> >>
>> >> Erik
>> >>
>> >> 2002-11-26 18:27:59 x.x.x.x - x.x.x.x 80
>> >>
>>
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >>
>>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANNNN - 414 Mozilla
>> >
>> >
>> >.
>> >
>
>
>.
>

Next message: David Wang [MS]: "Re: How to List IIS Authentication Settings"
Previous message: Tom Pepper Willett: "Re: blocked email"
In reply to: Erik: "Re: UrlScan question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: UrlScan question
... Hi Erik, ... UrlScan log file to see if "good" requests have been rejected, ... I believe that the Lockdown Tool ... > installer will set it ...
(microsoft.public.inetserver.iis.security)
Re: webexception 404
... has the IIS Lockdown tool been run on the server. ... In my case the UrlScan utility was preventing the request from being ... requests though, but when I figure it out I'll post it here. ... > client are passed from the webservice A to another Webservice, ...
(microsoft.public.dotnet.framework.aspnet.webservices)
Re: Why cant I uninstall Office 2007 and how can I?
... Please Reply to Newsgroup for the benefit of others ... Requests for assistance by email can not and will not be acknowledged. ... > fix on my own (earlier in the year it was a corrupt file). ... > of Run commands, downloaded that installer cleaner, tried System Restore, ...
(microsoft.public.office.setup)
Re: UrlScan question
... >UrlScan log file to see if "good" requests have been ... >> Wade, ... I believe that the Lockdown Tool ... >> installer will set it ...
(microsoft.public.inetserver.iis.security)
Re: URLSCAN makes pages with integrated authentication very slow
... Because since I have done this with the server header remove, ... Performance of authenticated requests is the ... >> and without URLScan from your machine. ... > As you can see in the IIS log file, there are a few requests that are ...
(microsoft.public.inetserver.iis.security)