Re: URLScan List

From: BB (qbernard_at_hotmail.com)
Date: 06/12/03


Date: Thu, 12 Jun 2003 14:34:24 +0800


Alternately, why use [DenyExtensions]?
use [AllowExtensions] to specify allowed ext ?
those not in the list will be denied.

check out the UseAllowExtensions setting.

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:eq1ExcpLDHA.452@TK2MSFTNGP11.phx.gbl...
> This all does really depend on what you are hosting out from
> the box in question.  If you search in TechNet somewhere in
> association with Front Page Server Extensions and URLscan
> there is a sample URLscan.ini with some inlined comments
> that may give you ideas.  IIRC it includes in its extension deny
> list things like .asa .mdb etc.
> Is it that hard for you to inventory your content to obtain the
> list of extensions that would be seen in URLs ?
>
> > Would that be enough ? Is it risky if we specify the deny
> > extension only ?
> ?? by that do you mean you intend to use neither the allow
> nor the deny Verbs  ??   Why not ??
> Also, negetive specification leaves all extensions not explicitly
> denied active - which is weaker than stating what are allowed.
>
> "Perseus" <perseus_medusa@hotmail.com> wrote in message
> news:075a01c32e7f$e4e14a40$a401280a@phx.gbl...
> > Hi all ,
> >
> >     I am implementing URLscan on our IIS 4.0 web server.
> > As it seems that url scan blocked many javascript function
> > if we specify the "Allow Extension". So we are thinking of
> > specifying the "Deny Extension" which includes :
> >
> > .dll ,ida, .pl, .exe, .bat, .cmd, .com, .htw, .ida , .idq ,
> >  .htr , .idc , .log, .pol, .dat, .printer
> >
> > Would that be enough ? Is it risky if we specify the deny
> > extension only ?
> >
> > Thanks.
> >
> > Perseus
> >
> >
> >
> >
>
>