Re: IIS Lock down tool configuration
From: Lis'a Johnson (email@example.com)
From: "Lis'a Johnson" <firstname.lastname@example.org> Date: Mon, 14 Apr 2003 03:10:47 -0700
Looks like you can deny all but then write exceptions
based on the default value (See information below). Am I
interpeting this correctly?
Thanks for the help:)
The [AllowExtensions] and [DenyExtensions] Sections
Most files have a file name extension that identifies what
kind of file they are. For example, file names for Word
documents typically end in .doc, HTML file names typically
end in .htm or .html, and plain text file names typically
end in .txt. The [AllowExtensions] and [DenyExtensions]
sections permit you to define extensions that URLScan will
block. For example, you can configure URLScan to reject
requests for .exe files to prevent Web users from
executing applications on your system.
Both the [AllowExtensions] and the [DenyExtensions]
sections have the same syntax. They are made up of a list
of file name extensions, and each extension appears on its
own line. The extension starts with a period (.) (for
URLScan decides which section to use based on the value of
UseAllowExtensions in the [Options] section. By default,
this option is set to 0. If UseAllowExtensions is set to
0, URLScan only denies requests for file name extensions
that are listed in the [DenyExtensions] section. Any file
name extensions that are not listed in this section are
permitted. The [AllowExtensions] section is ignored.
If UseAllowExtensions is set to 1, URLScan denies requests
for any file name extensions that are not explicitly
listed in the [AllowExtensions] section. Only requests for
a file name extension that is listed in that section are
permitted. The [DenyExtensions] section is ignored.
>If it's URLScan causing the problem, read URLScan.log to
see what is being
>blocked and then edit urlscan.ini to allow the file,
method or file
>extension, then restart IIS.
>If you actually installed IIS Lockdown instead of just
>installing URLScan, then there could be some other things
>problems. IIS Lockdown does have an uninstaller, and if
necessary you can
>re-run the IIS Lockdown install program to uninstall it.
>"Lis'a Johnson" <email@example.com> wrote
>> Good afternoon, all:
>> I used IIS Lockdown tool and selected the URLSCAN
>> feature. Unfortunately, I have an exe script for some
>> forms that gives the user a feedback html form via the
>> browser, a custom email response and emails the data of
>> the form to the designated department for action. This
>> script needs to run on our Internet site which is set up
>> for anonymous users, but I can't configure this darn
>> to allow this script to run unimpeded. It seems like
>> all or nothing. I do like the security features that it
>> offers, but I need more control over it.
>> Any suggestions would be much appreciated.