Re: URLScan List

From: BB (qbernard_at_hotmail.com)
Date: 06/12/03


Date: Thu, 12 Jun 2003 14:34:24 +0800


Alternately, why use [DenyExtensions]?
use [AllowExtensions] to specify allowed ext ?
those not in the list will be denied.

check out the UseAllowExtensions setting.

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:eq1ExcpLDHA.452@TK2MSFTNGP11.phx.gbl...
> This all does really depend on what you are hosting out from
> the box in question.  If you search in TechNet somewhere in
> association with Front Page Server Extensions and URLscan
> there is a sample URLscan.ini with some inlined comments
> that may give you ideas.  IIRC it includes in its extension deny
> list things like .asa .mdb etc.
> Is it that hard for you to inventory your content to obtain the
> list of extensions that would be seen in URLs ?
>
> > Would that be enough ? Is it risky if we specify the deny
> > extension only ?
> ?? by that do you mean you intend to use neither the allow
> nor the deny Verbs  ??   Why not ??
> Also, negetive specification leaves all extensions not explicitly
> denied active - which is weaker than stating what are allowed.
>
> "Perseus" <perseus_medusa@hotmail.com> wrote in message
> news:075a01c32e7f$e4e14a40$a401280a@phx.gbl...
> > Hi all ,
> >
> >     I am implementing URLscan on our IIS 4.0 web server.
> > As it seems that url scan blocked many javascript function
> > if we specify the "Allow Extension". So we are thinking of
> > specifying the "Deny Extension" which includes :
> >
> > .dll ,ida, .pl, .exe, .bat, .cmd, .com, .htw, .ida , .idq ,
> >  .htr , .idc , .log, .pol, .dat, .printer
> >
> > Would that be enough ? Is it risky if we specify the deny
> > extension only ?
> >
> > Thanks.
> >
> > Perseus
> >
> >
> >
> >
>
>


Relevant Pages

  • Re: To upgrade to Snow Leopard or not?
    ... a file to have a suitable extension, or Get Info and specify the ... Applications can still use them when saving a file, ... has been specified as a parameter), give preference to any application ...
    (uk.comp.sys.mac)
  • Re: more on delete from join
    ... Another might reasonably be that we expect whatever algebra is involved to produce consistent results for queries and updates, eg., so that "(R MINUS S) UNION S = R". ... Its extension is equal, but I would suggest that its extension is not an equivalent way of stating the relation C unless every operation we can apply to C produces the same resulting relation when it is applied to X. ... We could constrain X so that it is a join, say named XC, and get equal result relations no matter which attributes we specify in a delete. ...
    (comp.databases.theory)
  • Re: Problem in creating Subject Alt Name using Crypto API
    ... How are you filling in the structure and encoding the Subject Alt Name ... extension itself? ... Did you specify CERT_ALT_NAME_RFC822_NAME for the dwAltNameChoice in the ... i hav encode my email into wide char string ...
    (microsoft.public.platformsdk.security)
  • URLScan List
    ... As it seems that url scan blocked many javascript function ... if we specify the "Allow Extension". ... Is it risky if we specify the deny ...
    (microsoft.public.inetserver.iis.security)
  • Re: About .so and .o files
    ... object code to be complied into the myapp executable ... extension that I specify. ... extension would create the same, which I can use while building my ...
    (comp.unix.programmer)